← back
CVE-2026-23918

Apache HTTP Server: http2: double free and possible RCE on early reset

CVSS 8.8 HIGHEPSS 42.8%CWE-415
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache HTTP Server
public PoCs found7
githubgithub.com/striga-ai/CVE-2026-2391829githubgithub.com/alt3kx/CVE-2026-239181githubgithub.com/aa022/CVE-2026-23918-Passive-Audit0githubgithub.com/insomnisec/Detections-CVE-2026-239180githubgithub.com/Bencodin/CVE-2026-23918-poc0githubgithub.com/sibersan/apache_audit_cve-2026-239180exploitdbwww.exploit-db.com/exploits/52577unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://httpd.apache.org/security/vulnerabilities_24.htmlhttp://www.openwall.com/lists/oss-security/2026/05/04/19