The Apache Software Foundation has released version 2.4.67 of its HTTP Server patching 11 security vulnerabilities, including a critical double-free memory corruption flaw in the mod_http2 module that enables both denial of service and remote code execution. Tracked as CVE-2026-23918 with a CVSS score of 8.8, the vulnerability was discovered by researchers Bartlomiej Dmitruk of Striga.ai and Stanislaw Strzalkowski of ISEC.pl, who privately reported it in December 2025.

The flaw resides in the stream cleanup path of h2_mplx.c where an HTTP/2 RST_STREAM frame sent immediately after a HEADERS frame on the same stream triggers a double-free condition. The denial-of-service attack is trivially exploitable, requiring only one TCP connection, two HTTP/2 frames, and zero authentication. Each successful exploitation crashes an Apache worker process, dropping all in-flight requests handled by that worker.

A working proof-of-concept for remote code execution on x86_64 systems has been demonstrated. The exploit chain places a crafted h2_stream struct at the freed virtual address via mmap reuse and redirects the pool cleanup function pointer to system(), using Apache's scoreboard memory as a stable container for the payload. The scoreboard sits at a fixed address for the lifetime of the server process, effectively bypassing ASLR. RCE requires the Apache Portable Runtime to use the mmap allocator, which is the default configuration on Debian-derived systems and official Apache builds.

The same release also patches CVE-2026-24072, a moderate-severity flaw allowing any user with .htaccess write access to read files belonging to other accounts on shared hosting servers. Together these vulnerabilities pose an urgent risk for hosting providers facing both remote code execution and tenant isolation failures in a single unpatched version.

All organizations running Apache HTTP Server 2.4.66 with HTTP/2 enabled are affected. While no confirmed in-the-wild exploitation has been reported yet, security researchers expect weaponized exploits to circulate within weeks given the availability of proof-of-concept code.

Administrators should upgrade to Apache 2.4.67 immediately. Those unable to patch should disable HTTP/2 by removing the h2 and h2c protocol directives from their configuration as a temporary mitigation. Shared hosting operators should treat this update as critical priority given the combined impact of both patched vulnerabilities.