HIGH: Apache HTTP/2 Double-Free (CVE-2026-23918) Lets Two Frames DoS Your Web Server, RCE Already Demoed

Two frames, one dead worker

There is a particular kind of bug that gives security professionals an immediate sinking feeling, and Apache HTTP Server 2.4.66 just shipped one. CVE-2026-23918 is a double-free in mod_http2 that requires nothing more than a single TCP connection and two HTTP/2 frames to crash a worker process. Drop the right HEADERS frame followed by an RST_STREAM with a non-zero error code, and the same stream pointer gets pushed onto the cleanup queue twice. The second pass operates on already-freed memory. Crash, replay, repeat, watch the requests pile up at the front door.

The Apache Software Foundation patched the bug in 2.4.67, released May 4, with the public advisory landing the next day. The CVSS score is 8.8, which technically classifies as high rather than critical, but the practical risk profile makes that distinction look academic. HTTP/2 is enabled by default in most modern Apache deployments. Multi-threaded MPM workers, which is what most production Apache installations now run, are exposed. The denial of service version is already being exploited in the wild, and a working remote code execution chain has been published and demonstrated in a lab against default Debian and official Docker builds in under a few minutes.

The bug, in one paragraph

The technical story is simpler than the impact deserves. The bug lives in the stream cleanup path of h2_mplx.c. When a client sends a HEADERS frame immediately followed by RST_STREAM with a non-zero error code, before the multiplexer has finished registering the stream, two nghttp2 callbacks fire in sequence. The first is on_frame_recv_cb for the RST, and the second is on_stream_close_cb for the close. Both call h2_mplx_c1_client_rst, which calls m_stream_cleanup, which pushes the same h2_stream pointer onto the spurge cleanup array twice. When iteration actually frees the memory on the second pass, the use-after-free is in your worker's heap. No authentication, no special headers, no specific URL paths, no mitigations from a WAF that does not understand HTTP/2 frame semantics at the protocol layer.

For denial of service, you do not need anything more than that. Two frames per connection, one connection at a time, and Apache's worker processes start dropping requests on the floor. Hadrian's writeup notes that successful exploitation tends to leave very little behind. The attack lives entirely in the HTTP/2 protocol layer, and the only forensic trace you get is potentially a segmentation fault if the exploit fails. Successful exploitation typically generates no error log entries at all. If your monitoring depends on httpd error logs to flag bad behavior, you will simply see availability evaporate without explanation.

From DoS to RCE

Remote code execution is harder, but not the kind of harder that buys you weeks. The exploitation chain published by the original researchers requires the Apache Portable Runtime to be using its mmap-based allocator, which happens to be the default on Debian-derived distributions and on the official Apache HTTPD Docker images. Once you have that, the chain places a fake h2_stream struct at the freed virtual address using mmap reuse, points its pool cleanup function to system(), and leverages Apache's scoreboard region as a stable memory container. The scoreboard sits at a fixed virtual address, which makes it ASLR-resistant and turns it into a convenient anchor for the rest of the chain. The published proof of concept finishes the exploit in under a few minutes on a default Debian build of 2.4.66. There is also a public GitHub repository hosting working PoC code, which historically accelerates the public exploitation curve substantially.

What is affected, in practical terms, is any production Apache HTTPD 2.4.66 running mod_http2 with a multi-threaded MPM. That covers MPM event and MPM worker, which together represent the dominant deployments in 2026. MPM prefork is not vulnerable, since the multiplexer pattern that triggers the double-free is specific to the threaded models. The bug does not affect older 2.4.x branches that predate the relevant cleanup logic, but anyone who upgraded to 2.4.66 specifically for performance reasons is now sitting on the worst possible combination of fresh code path and active exploitation. The fix is in 2.4.67. If you are running a containerized stack, the upstream httpd:2.4 image was rebuilt within hours of the advisory.

The disclosure timeline rewards a careful read

Bartlomiej Dmitruk and Stanislaw Strzalkowski reported the issue to Apache on December 10, 2025. The fix committed to the source tree on December 11, less than a day after disclosure. The patched version sat in development branches for almost five months before shipping in 2.4.67 on May 4, 2026. The public advisory followed on May 5. That gap between commit and release is long enough that anyone who tracks the Apache HTTPD git tree carefully had a five-month window to find the same bug independently. There is no good reason to assume nation-state actors and high-end criminal groups did not. The DoS exploitation seen in the wild started showing up in honeypot data the same week the advisory dropped, which suggests the public PoC accelerated mass exploitation rather than originating it.

What to do this week

Mitigation comes in two flavors, structural and immediate. The clean answer is upgrade to 2.4.67 today. Run httpd -v to confirm your build version. Package managers on Debian, Ubuntu, RHEL, Rocky, and Alma should all have the fix in their updates channels by now, and the Docker images are tagged. If you cannot patch immediately because of change control or because you have a complex module stack you need to retest, you have two structural options. Switching from MPM event or MPM worker to MPM prefork removes the vulnerable code path entirely, at the cost of memory footprint and concurrency. Disabling HTTP/2 by removing the Protocols h2 h2c http/1.1 directive or replacing it with Protocols http/1.1 also closes the attack surface, at the cost of HTTP/2 performance benefits for your clients. Neither is great, but both buy you time if your patch window is days rather than hours.

A third tier of mitigation worth mentioning is the front door. Most production Apache installations live behind a load balancer, a CDN, or a reverse proxy. If your edge terminates HTTP/2 and speaks HTTP/1.1 to your Apache backends, the attacker cannot reach the vulnerable code path because the malformed frame sequence does not survive translation. Cloudflare, Fastly, AWS CloudFront, and most enterprise WAFs in proxy mode all do this by default. If you have nginx fronting Apache and only HTTP/1.1 between them, congratulations, you are accidentally protected. If you have direct internet exposure on Apache 2.4.66, you are not.

Detection without good telemetry

Detection is harder than mitigation, which is the inversion every defender hates. The most useful telemetry is process level rather than log level. Watch for httpd worker processes terminating abnormally, especially with SIGSEGV, especially in clusters or with timing that correlates to traffic from the same client IP. Apache's scoreboard exposure means you can pull worker birth and death times from mod_status if you have it enabled, and an unusual rate of worker churn on a server that is not under heavy traffic is suspicious. At the network layer, anomaly detection on HTTP/2 frame sequencing can flag the HEADERS then RST_STREAM pattern, but most off-the-shelf NDR products do not parse HTTP/2 deeply enough to do that out of the box. If you have Suricata or Zeek with the http2 protocol parser enabled, write a rule that alerts on RST_STREAM with a non-zero error code arriving within a few milliseconds of a HEADERS frame on the same stream ID. False positives will be high in environments with aggressive client-side cancellation, but a signal is a signal.

The MSP business angle

For MSPs, this is exactly the kind of vulnerability that sells emergency patching as a managed service rather than a one-off project. Customers running self-hosted web applications, ticketing systems, intranet portals, or anything else fronted by Apache need to know whether they are on 2.4.66 today, and most of them do not have the visibility to answer that question without help. Pair the Apache patch sweep with a quick external attack surface check and you have a justifiable invoice for the next quarter. There is also a softer upsell story for any customer still terminating TLS and HTTP/2 directly on their origin Apache rather than at a managed edge. Moving them behind a CDN or WAF turns the next critical bug into someone else's emergency. It is a worthwhile conversation.