InfoSecBulletin Cybersecurity for mankind
The Apache Software Foundation launched an important security update for Apache HTTP Server. This update fixes five security issues, including a serious double-free problem that could allow Remote Code Execution (RCE) in version 2.4.67, which came out on May 4, 2026. All users with version 2.4.66 or older should upgrade right away.
CVE-2026-23918 is the most severe of the five problems. It is rated High with a score of 8.8.
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
The flaw is a double-free memory corruption bug triggered within Apache’s HTTP/2 protocol implementation during an “early stream reset” sequence.
The flaw only affects Apache HTTP Server version 2.4.66. It was first told to the Apache security team on December 10, 2025, by Bartlomiej Dmitruk from striga.ai and Stanislaw Strzalkowski from isec.pl.
| CVE | Severity | Component | Impact | Affected Versions |
|---|---|---|---|---|
| CVE-2026-23918 | High (CVSS 8.8) | HTTP/2 | Double Free / RCE | 2.4.66 only |
| CVE-2026-24072 | Moderate | mod_rewrite (ap_expr) | Privilege Escalation | ≤ 2.4.66 |
| CVE-2026-28780 | Low | mod_proxy_ajp | Heap Buffer Overflow | ≤ 2.4.66 |
| CVE-2026-29168 | Low | mod_md (OCSP) | Resource Exhaustion | 2.4.30–2.4.66 |
| CVE-2026-29169 | Low | mod_dav_lock | NULL Ptr Dereference / DoS | ≤ 2.4.66 |
The second problem, CVE-2026-24072, is rated Moderate and affects how mod_rewrite uses ap_expr expression evaluation. The flaw lets local .htaccess authors read any files as the httpd user, which can give them more access than they should have.
This flaw affects Apache HTTP Server 2.4.66 and older versions. It was reported on January 20, 2026, by researcher y7syeu.
Additional Vulnerabilities Patched
Three further lower-severity flaws were also addressed in the same 2.4.67 update:
CVE-2026-28780 : A buffer overflow in mod_proxy_ajp happens through ajp_msg_check_header(). If mod_proxy_ajp connects to a harmful AJP server, that server can send a special AJP message. This can make the module write 4 bytes controlled by the attacker beyond the end of a heap buffer. Four researchers reported this separately between February and March 2026.
CVE-2026-29168: An unchecked resource issue in mod_md’s OCSP response handler. Bad actors could use this to drain server resources with large OCSP response data. Affects versions 2.4.30 to 2.4.66, reported by Pavel Kohout from Aisle Research on March 2, 2026.
CVE-2026-29169: A NULL pointer dereference in mod_dav_lock that allows an attacker to crash the server using a maliciously crafted request. Notably, mod_dav_lock is not used internally by mod_dav or mod_dav_fs — its only known use case was with mod_dav_svn from Apache Subversion versions prior to 1.2.0. As a mitigation, administrators who cannot upgrade immediately may simply remove mod_dav_lock.
Mitigations
Administrators should take the following actions immediately:
Upgrade to Apache HTTP Server 2.4.67 — the only complete fix for all five vulnerabilities.
Disable HTTP/2 temporarily if an immediate upgrade is not feasible to reduce exposure to CVE-2026-23918.
Remove mod_dav_lock if the module is not in active use, as an interim mitigation for CVE-2026-29169.
Audit .htaccess permissions to limit exposure to CVE-2026-24072 in environments where local user access is a concern.
