Critical Apache HTTP Server Bug CVE-2021-41773 Lets Attackers Remotely Execute Code
Key Takeaways The Apache Software Foundation has released an urgent security update, version 2.4.67, for its HTTP Server. This patch addresses five vulnerabilities, including a critical double-free...
Key Takeaways
- The Apache Software Foundation has released an urgent security update, version 2.4.67, for its HTTP Server.
- This patch addresses five vulnerabilities, including a critical double-free flaw (CVE-2026-23918) that enables remote code execution (RCE).
- The most severe vulnerability, CVE-2026-23918, carries a CVSS score of 8.8 and specifically impacts Apache HTTP Server version 2.4.66.
- All users running Apache HTTP Server 2.4.66 or older versions are strongly advised to upgrade immediately to version 2.4.67.
The Apache Software Foundation has issued a critical security bulletin, urging users of its widely deployed HTTP Server to update to version 2.4.67. This release, made public on May 4, 2026, bundles fixes for five distinct security vulnerabilities, with the most severe being a double-free memory corruption bug that could facilitate remote code execution (RCE).
Table Of Content
High-Severity RCE Flaw in HTTP/2 Implementation
The most pressing concern among the patched vulnerabilities is CVE-2026-23918, which has been assigned a High severity rating with a CVSS base score of 8.8. This flaw is a double-free memory corruption vulnerability residing within Apache’s HTTP/2 protocol implementation. It can be triggered during an “early stream reset” sequence.
A double-free vulnerability occurs when a program attempts to deallocate the same block of memory twice. This action can corrupt heap memory structures, potentially allowing an attacker to manipulate program execution flow, in this case, leading to arbitrary remote code execution on the affected server.
This particular RCE vulnerability exclusively affects Apache HTTP Server version 2.4.66. It was initially reported to the Apache security team on December 10, 2025, by security researchers Bartlomiej Dmitruk from striga.ai and Stanislaw Strzalkowski from isec.pl. Apache developers committed a fix in revision r1930444 the following day, December 11, 2025, with the official public patch integrated into the 2.4.67 release.
Moderate Privilege Escalation in mod_rewrite
Another significant vulnerability, CVE-2026-24072, is rated Moderate severity. This flaw targets the mod_rewrite module’s utilization of the ap_expr expression evaluation mechanism. It allows local .htaccess file authors to read arbitrary files on the system, operating with the privileges of the httpd user. This effectively grants them an escalation of privileges beyond their intended access levels.
This bug impacts Apache HTTP Server 2.4.66 and all earlier versions. It was brought to Apache’s attention on January 20, 2026, by researcher y7syeu.
Additional Vulnerabilities Patched
The 2.4.67 update also addresses three further lower-severity vulnerabilities:
- CVE-2026-28780: A heap-based buffer overflow found in
mod_proxy_ajp, specifically within theajp_msg_check_header()function. Ifmod_proxy_ajpestablishes a connection with a malicious AJP server, that server can send a specially crafted AJP message. This message could cause the module to write four attacker-controlled bytes beyond the allocated end of a heap buffer. This issue was independently reported by four different researchers between February and March 2026. - CVE-2026-29168: An uncapped resource allocation vulnerability discovered in
mod_md‘s OCSP response handler. Attackers could exploit this flaw to exhaust server resources by supplying oversized OCSP response data. This affects versions 2.4.30 through 2.4.66 and was reported by Pavel Kohout of Aisle Research on March 2, 2026. - CVE-2026-29169: A NULL pointer dereference vulnerability in
mod_dav_lock. This flaw allows an attacker to crash the server by sending a maliciously crafted request. It’s important to note thatmod_dav_lockis not typically used bymod_davormod_dav_fs; its primary known use case was withmod_dav_svnin Apache Subversion versions prior to 1.2.0. For administrators unable to upgrade immediately, removingmod_dav_lockcan serve as an interim mitigation.
What You Should Do
Given the Apache HTTP Server’s widespread deployment and the significant RCE risk posed by CVE-2026-23918, immediate action is crucial for maintaining the security of enterprise infrastructure. Administrators should implement the following mitigation steps without delay:
- Upgrade to Apache HTTP Server 2.4.67: This is the most comprehensive solution, addressing all five vulnerabilities detailed in the security update.
- Temporarily Disable HTTP/2: If an immediate upgrade is not feasible, disabling the HTTP/2 protocol can reduce exposure to CVE-2026-23918 until the server can be fully patched.
- Remove
mod_dav_lock: If themod_dav_lockmodule is not actively in use within your environment, removing it can mitigate the risk associated with CVE-2026-29169. - Audit
.htaccessPermissions: In environments where local user access is a concern, review and restrict.htaccesspermissions to limit potential exposure to the privilege escalation flaw, CVE-2026-24072.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.