7 May 2026 Vulnerabilities

CVE-2026-23918: Apache HTTP/2 Double-Free Flaw Is Crashing Servers and Enabling RCE — What Australian Site Owners Must Do Now

A critical double-free vulnerability in Apache HTTP Server's HTTP/2 module, tracked as CVE-2026-23918, was publicly disclosed on 4 May 2026 with a CVSS score of 8.8. The flaw affects Apache 2.4.66 and allows any unauthenticated attacker to crash a web server worker with just two network packets. On Debian-based systems and the official Apache Docker image — configurations common across Australian managed hosting environments — the same flaw can escalate to full remote code execution. Apache 2.4.67 patches the issue. If your website runs on Apache with HTTP/2 enabled, treat this as an emergency.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

Apache Discloses CVE-2026-23918 in Its HTTP/2 Module

On 4 May 2026, the Apache HTTP Server project published a security advisory disclosing CVE-2026-23918 — a double-free memory corruption flaw in mod_http2, the module responsible for HTTP/2 support. The advisory landed on the OSS-Security mailing list alongside the release of Apache HTTP Server 2.4.67, which patches 11 vulnerabilities in total. CVE-2026-23918 is the highest-severity issue in that batch.

The vulnerability is assigned a CVSS 3.1 score of 8.8, with the full vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Translated: it is exploitable over the network, requires no user interaction, demands only low-level privileges (or, for the denial-of-service path, effectively no privileges when sending crafted HTTP/2 frames), and carries high impact against confidentiality, integrity, and availability. The NVD entry for CVE-2026-23918 confirms these details.

Security researchers at Hadrian Security, SOCRadar, and The Hacker News independently analysed the flaw within hours of disclosure. Their conclusions aligned: the denial-of-service vector is trivial, requiring nothing more than a single TCP connection and two HTTP/2 frames. The remote code execution path is more involved but has a working proof-of-concept on Debian-derived systems.

The affected product is Apache HTTP Server version 2.4.66 when two conditions are met: mod_http2 must be loaded (which enables HTTP/2 support), and the server must use a multi-threaded Multi-Processing Module — specifically event or worker MPM. The single-threaded prefork MPM is not affected because the race condition in the stream cleanup path cannot manifest in a single-threaded context.

Apache HTTP Server 2.4.67, available from httpd.apache.org, resolves the issue. Analysis of the 2.4.67 release notes confirms that CVE-2026-23918 is one of 11 CVEs addressed in this update, with the RCE-class vulnerability being the sole critical finding. All other fixes address moderate-severity information disclosure and configuration-handling issues. The Apache project has not named a specific external discoverer in the public advisory; the fix came from the Apache security team's internal audit process.

Why Australian Website Owners Cannot Ignore This Flaw

Apache HTTP Server is one of the most widely deployed web server packages in the world. CybersecurityNews reported that the 2.4.67 advisory describes the flaw as affecting millions of servers — a figure consistent with Apache's long-standing dominance across the hosting industry. For Australian businesses, the exposure is particularly direct.

The majority of Australian shared hosting providers — including those using cPanel, Plesk, and DirectAdmin control panels — serve customer websites through Apache. If your business website, WordPress blog, WooCommerce store, or client portal is hosted on any mainstream Australian shared or managed VPS platform, there is a meaningful chance your stack includes Apache with mod_http2 enabled. Many hosting customers have no visibility into the underlying web server version; they rely entirely on their provider to patch.

This disclosure arrives just days after the security community was focused on CVE-2026-41940, a critical authentication bypass in cPanel and WHM — the management layer that sits atop Apache on countless Australian hosting accounts. Both CVEs affecting the same software stack within a week of each other underscores a systemic patch-lag risk. A host that was slow to address the cPanel issue may be equally slow here.

Exploitation of the denial-of-service vector has already been observed in the wild. Security researchers monitoring internet traffic reported large-scale scans targeting HTTP/2 endpoints on exposed Apache installations as of early May 2026. An attacker does not need to achieve code execution to cause real harm: sustained worker crashes translate directly to website downtime, lost revenue, and degraded customer experience — consequences that Australian SMBs whose livelihoods depend on their web presence cannot absorb easily.

Under the ACSC's Essential Eight Maturity Model, organisations operating at Maturity Level 2 must patch vulnerabilities with a CVSS score of 8.0 or above within 14 days of a vendor patch becoming available. Maturity Level 3 shortens that window to 48 hours for critical flaws. CVE-2026-23918 was patched on 4 May 2026. The clock has already started.

Beyond availability, the Privacy Act 1988's Notifiable Data Breaches scheme is directly relevant. If CVE-2026-23918 is exploited to achieve remote code execution on a web server that stores or processes personal information — customer emails, purchase records, form submissions — the resulting compromise would likely trigger a mandatory breach notification to the Office of the Australian Information Commissioner (OAIC). The cost of remediation, legal review, and reputational damage from a notifiable breach far exceeds the cost of patching this week.

Inside the Double-Free: How CVE-2026-23918 Works

HTTP/2 Stream Multiplexing in mod_http2

HTTP/2 allows multiple requests to share a single TCP connection — a feature called multiplexing. Apache's mod_http2 module manages this through a stream multiplexer implemented in h2_mplx.c. Each HTTP/2 stream (effectively, one request) is represented by an h2_stream object. The multiplexer tracks the lifecycle of every stream from open to close using the nghttp2 library, which fires callbacks at key transition points.

When a stream opens, nghttp2 fires on_frame_recv_cb. When it closes, it fires on_stream_close_cb. Both eventually call h2_mplx_c1_client_rst, which queues the stream for cleanup via m_stream_cleanup, appending the h2_stream pointer to an internal array called "spurge." When Apache later flushes spurge by calling c1_purge_streams, it calls h2_stream_destroy → apr_pool_destroy on each entry, which frees the memory backing that stream.

The Race That Creates a Double-Free

CVE-2026-23918 triggers when a client sends an HTTP/2 HEADERS frame to open a new stream, immediately followed by RST_STREAM with a non-zero error code — before the multiplexer has finished registering the stream internally. In this narrow timing window, both nghttp2 callbacks fire in sequence: on_frame_recv_cb processing the RST, then on_stream_close_cb processing the close. Both invoke m_stream_cleanup on the same h2_stream pointer. The same pointer is pushed onto the spurge array twice.

When spurge is flushed, apr_pool_destroy is called on the same h2_stream pointer twice in succession. The second call operates on already-freed memory — a classic double-free, which is undefined behaviour and leads to memory corruption in the worker process. Security Affairs and Hadrian Security both independently documented this mechanism in their analyses of the flaw.

From DoS to RCE: The mmap Allocator Path

On a standard deployment, the double-free crashes the worker process. Apache automatically respawns the worker, but any in-flight requests are dropped. An attacker maintaining a steady stream of two-frame connections can hold a server in a perpetual crash-and-restart loop with minimal network resources — a practical, sustained denial-of-service requiring no authentication whatsoever.

The remote code execution path exploits a detail of the Apache Portable Runtime (APR) memory allocator. On Debian-derived Linux distributions — Ubuntu Server, Debian, and the official Apache Docker image — APR uses mmap for large allocations by default. Once the h2_stream allocation is freed by the first apr_pool_destroy call, the OS can immediately return that virtual address range to a subsequent mmap request. A proof-of-concept documented by security researchers demonstrates placing a fake h2_stream struct at the freed address, with its pool cleanup function pointer redirected to system(). When the second apr_pool_destroy fires, it executes system() with attacker-controlled arguments — arbitrary command execution on the server.

Systems using prefork MPM, or distributions where APR uses a different allocator (certain RHEL and Alpine configurations), are exposed only to the DoS path. The full RCE path specifically requires the mmap allocator combined with a multi-threaded MPM. Run apache2 -V | grep MPM on your server to confirm which MPM you are using.

Immediate Steps for Australian Website Owners

Step 1: Identify Your Apache Version and MPM

If you manage your own server or VPS, SSH in and run:

apache2 -v
apache2 -V | grep MPM
apachectl -M | grep http2

If the version output shows anything below 2.4.67, the MPM line shows event or worker (not prefork), and http2_module appears in the loaded modules — you are exposed to at minimum the DoS path, and potentially RCE if your distribution uses the mmap allocator. On managed or shared hosting, log into your control panel and check the server information section, or contact your provider directly and ask which Apache version is currently running.

Step 2: Patch to Apache 2.4.67

This is the definitive fix. On Debian and Ubuntu servers:

sudo apt update && sudo apt upgrade apache2

On RHEL, AlmaLinux, or Amazon Linux, watch your distribution's security channel — some package maintainers backport the CVE-2026-23918 fix into their current version number rather than advancing to 2.4.67 exactly. Check the package changelog to confirm the CVE is addressed. On managed cPanel hosting, contact your provider and ask for their patch timeline. Most reputable Australian providers follow critical CVE disclosures closely, but you should confirm rather than assume.

Step 3: Temporary Mitigation — Disable mod_http2

If patching is delayed and you have server access, disabling HTTP/2 support entirely removes the attack surface while you wait. On Debian and Ubuntu:

sudo a2dismod http2 && sudo systemctl restart apache2

Your site falls back to HTTP/1.1, losing some performance benefits, but CVE-2026-23918 exposure is eliminated completely. Re-enable mod_http2 after upgrading to 2.4.67 and confirming the patch is in place.

Step 4: Use a WAF as an Intermediate Layer

If you are waiting on a managed host to patch — or if you oversee multiple client sites and cannot guarantee immediate server access on each — a Web Application Firewall at the edge provides a meaningful buffer. A WAF can inspect and drop the malicious HEADERS+RST_STREAM sequence before it reaches the Apache worker, breaking the exploit chain without any change to the origin server.

Sucuri's Website Firewall provides Australian website owners with a managed, cloud-based WAF that receives virtual patch updates for critical CVEs. Sucuri's security team pushes protective rules against active web-server exploits — including flaw classes like CVE-2026-23918 — typically within hours of public disclosure. For Australian SMBs managing WordPress sites, WooCommerce stores, or any web application hosted on Apache, this approach narrows the exposure window when the patch decision is out of your hands. Virtual patching is not a substitute for upgrading the server; it reduces risk during the gap. Once Apache 2.4.67 is confirmed running, retain the WAF as ongoing protection against future disclosures.

Step 5: Verify After Patching

After upgrading, confirm the new version is running:

apache2 -v

If your distribution backports the fix without advancing to 2.4.67 in the version string, use apt-cache policy apache2 or your package manager's changelog to confirm CVE-2026-23918 is listed as resolved. Do not assume a package update has applied without verifying.

Layered Defence for Your Australian Web Infrastructure

Know Who Controls Your Patch Decisions

CVE-2026-23918 exposes a dependency chain that Australian website owners rarely think about until it matters. Your site's security is only as strong as the weakest link across: your web server software, your hosting platform, your web application layer (WordPress, custom code), your DNS provider, and any CDN or WAF layer in front. If you run a VPS or dedicated server, you control the Apache version and can patch today. If you are on shared hosting, your host controls the server. If your host is slow to patch a CVSS 8.8 web server vulnerability, that is a business risk you need to actively manage.

A practical question to ask your current provider: "What is your SLA for patching CVSS 8.0-or-above web server vulnerabilities?" If they cannot answer that question, or if the answer exceeds two weeks for a critical flaw, factor that into your decision about where to host — and consider placing a WAF in front as your controllable defensive layer in the interim.

Essential Eight Alignment

The ACSC's Essential Eight Maturity Model treats application patching as a core control. CVE-2026-23918 qualifies as a critical vulnerability under the patching maturity criteria: internet-facing, network-exploitable, CVSS 8.8. At ML2, this must be patched within 14 days of the vendor release — by 18 May 2026 at the latest. At ML3, the requirement is 48 hours from the May 4 patch availability date. Australian government contractors and regulated businesses should verify their patching status against whichever maturity level their organisation targets and document the action taken.

The broader lesson from the 2.4.67 release is also worth noting: 11 CVEs were closed in a single update. Staying current with vendor releases is more efficient than treating each CVE as an isolated event requiring separate evaluation. A mature patching programme handles these as routine maintenance, not emergencies — but it requires that someone in the organisation is monitoring Apache security announcements proactively.

Beyond Apache: Your Full Web Stack

A fully patched Apache server that hosts a WordPress installation running outdated plugins is still a target — just through a different entry point. The same discipline that drives patching CVE-2026-23918 should extend to your application layer: WordPress core, plugins, themes, PHP runtime version, and database software all carry their own CVE histories and their own patch obligations.

For most Australian SMBs, a practical defence priority order looks like this:

Patch or mitigate the known critical CVE immediately — this week for CVE-2026-23918.
Place a managed WAF in front of any site where you do not fully control the server patch cycle.
Audit your full dependency chain — OS, web server, runtime, application, plugins — on a quarterly basis at minimum.
Subscribe to security notification channels: Apache security announcements at httpd.apache.org, ACSC alerts at cyber.gov.au, and your hosting provider's security bulletins.

The OSS-Security mailing list disclosed CVE-2026-23918 before most mainstream media picked it up. Monitoring primary disclosure channels — Apache security announcements at httpd.apache.org and ACSC alerts at cyber.gov.au — can give your organisation an early advantage — the difference between patching before exploitation begins and scrambling after.