Apache HTTP Server RCE Exposes Millions of Servers

The Apache Software Foundation has released a critical security update for Apache HTTP Server. This patch addresses five vulnerabilities, including a dangerous double-free flaw capable of enabling Remote Code Execution (RCE) in version 2.4.67, released on May 4, 2026. All users running version 2.4.66 or earlier are strongly urged

The most severe of the five vulnerabilities is CVE-2026-23918, rated High with a CVSS base score of 8.8.

The flaw is a double-free memory corruption bug triggered within Apache’s HTTP/2 protocol implementation during an “early stream reset” sequence.

A double-free vulnerability occurs when a program attempts to release the same memory region twice, corrupting heap memory structures and potentially enabling an attacker to redirect execution flow in this case, opening the door to Remote Code Execution.

The vulnerability exclusively affects Apache HTTP Server version 2.4.66 and was first reported to the Apache security team on December 10, 2025, by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl.

A fix was committed in revision r1930444 the very next day, December 11, 2025, with the public patch shipped in the 2.4.67 release on May 4, 2026.

A second flaw, CVE-2026-24072, is rated Moderate and targets mod_rewrite‘s use of ap_expr expression evaluation.

The vulnerability allows local .htaccess authors to read arbitrary files with the privileges of the httpd user, effectively enabling an escalation of privileges beyond their intended access level.

This bug affects Apache HTTP Server 2.4.66 and earlier and was reported on January 20, 2026, by researcher y7syeu.

Additional Vulnerabilities Patched

Three further lower-severity flaws were also addressed in the same 2.4.67 update:

• CVE-2026-28780 — A heap-based buffer overflow in mod_proxy_ajp via ajp_msg_check_header(). If mod_proxy_ajp connects to a malicious AJP server, that server can send a crafted AJP message causing the module to write 4 attacker-controlled bytes beyond the end of a heap buffer. Reported independently by four researchers between February and March 2026.
• CVE-2026-29168 — An uncapped resource allocation vulnerability in mod_md‘s OCSP response handler. Attackers could exploit this to exhaust server resources via oversized OCSP response data. Affects versions 2.4.30 through 2.4.66, reported by Pavel Kohout of Aisle Research on March 2, 2026.
• CVE-2026-29169 — A NULL pointer dereference in mod_dav_lock that allows an attacker to crash the server using a maliciously crafted request. Notably, mod_dav_lock is not used internally by mod_dav or mod_dav_fs — its only known use case was with mod_dav_svn from Apache Subversion versions prior to 1.2.0. As a mitigation, administrators who cannot upgrade immediately may simply remove mod_dav_lock.

Mitigations

Given Apache HTTP Server’s enormous global footprint, the RCE risk posed by CVE-2026-23918 represents a significant threat to enterprise infrastructure worldwide. Administrators should take the following actions immediately:

1. Upgrade to Apache HTTP Server 2.4.67 — the only complete fix for all five vulnerabilities.
2. Disable HTTP/2 temporarily if an immediate upgrade is not feasible to reduce exposure to CVE-2026-23918.
3. Remove mod_dav_lock if the module is not in active use, as an interim mitigation for CVE-2026-29169.
4. Audit .htaccess permissions to limit exposure to CVE-2026-24072 in environments where local user access is a concern.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.