Key Takeaways
- Apache HTTP Server 2.4.67, released May 4 2026, patches five vulnerabilities, including a critical RCE flaw.
- The most severe issue, CVE‑2026‑23918, is a double‑free in the HTTP/2 module with a CVSS score of 8.8.
- Only version 2.4.66 is affected by the double‑free; all earlier 2.4.x releases are impacted by the other four bugs.
- Administrators should upgrade immediately; if impossible, disable HTTP/2 and remove unused modules as interim mitigations.
- Auditing .htaccess permissions and monitoring resource usage help reduce exposure to the remaining vulnerabilities.
- The fixes were committed swiftly after private disclosure, underscoring the importance of rapid coordination between researchers and the Apache Security Team.
Overview of Apache HTTP Server 2.4.67 Security Release
The Apache Software Foundation announced the availability of Apache HTTP Server version 2.4.67 on May 4 2026. This release addresses five security‑relevant defects identified in the 2.4.66 code base and earlier. The update is described as a “critical” patch because it resolves a high‑severity double‑free vulnerability that can lead to remote code execution (RCE). All users running 2.4.66 or any prior version are urged to upgrade to 2.4.67 to eliminate exposure to these flaws. The announcement also provides temporary mitigation steps for environments where an immediate upgrade cannot be performed.
Critical Double‑Free Vulnerability (CVE‑2026‑23918)
CVE‑2026‑23918 is the most serious flaw corrected in 2.4.67, receiving a CVSS base score of 8.8 (High). It resides in the HTTP/2 protocol implementation and is triggered during an “early stream reset” sequence. A double‑free occurs when the same memory block is released twice, corrupting the heap’s internal bookkeeping structures. An attacker who can manipulate HTTP/2 frames to cause this condition may be able to forge fake memory chunks, thereby gaining control over execution flow and achieving arbitrary code execution on the server process. Because HTTP/2 is enabled by default in many deployments, the vulnerability presents a broad RCE risk.
Technical Details of the HTTP/2 Early Stream Reset Flaw
The faulty code path handles the reset of an HTTP/2 stream before the associated request has been fully processed. When a client sends a RST_FRAME immediately after initiating a stream, the server’s stream‑state machine incorrectly frees a buffer that is later accessed again during cleanup. This results in the double‑free condition. Exploitation typically requires the attacker to send a specially crafted sequence of HEADERS, DATA, and RST_FRAME packets that forces the server into the vulnerable state. Successful exploitation can lead to the injection of shellcode into the httpd process, allowing the attacker to execute commands with the privileges of the Apache user (often root or a privileged service account).
Discovery, Timeline, and Patch Process
The vulnerability was privately reported to the Apache Security Team on December 10 2025 by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl. The following day, December 11 2025, a fix was committed to the source repository as revision r1930444. The patch involved adding reference‑count checks and ensuring that the stream‑reset routine does not free memory more than once. After a period of internal testing and coordination with downstream distributors, the corrected code was bundled into Apache HTTP Server 2.4.67, which was made publicly available on May 4 2026. The rapid turn‑around—under five months from report to release—illustrates the effectiveness of the Apache security response workflow.
Mod_rewrite Privilege‑Escalation Issue (CVE‑2026‑24072)
The second vulnerability addressed, CVE‑2026‑24072, carries a Moderate rating and affects the mod_rewrite module’s use of the ap_expr expression evaluator. A local user who can write .htaccess files (for example, a shared‑hosting customer) can craft an expression that causes ap_expr to read arbitrary files from the filesystem with the privileges of the httpd process. This effectively escalates the user’s privileges beyond the intended directory‑limited access, potentially allowing the reading of sensitive configuration files, passwords, or private keys. The flaw impacts all versions 2.4.66 and earlier. The fix restricts the expression evaluator’s file‑access checks to ensure that only paths within the permitted document root can be accessed.
Additional Lower‑Severity Flaws: mod_proxy_ajp Buffer Overflow
CVE‑2026‑28780 is a Low‑severity heap‑based buffer overflow in mod_proxy_ajp, specifically within the ajp_msg_check_header() function. If mod_proxy_ajp is configured to forward requests to an AJP backend, a malicious AJP server can transmit a crafted message that overflows a heap buffer by four attacker‑controlled bytes. Although the overflow is small, it could be chained with other memory‑corruption bugs to achieve more significant impact. The issue affects Apache HTTP Server 2.4.66 and earlier. The patch validates the length of incoming AJP headers before copying them into the buffer, preventing the overflow.
Additional Lower‑Severity Flaws: mod_md OCSP Resource Exhaustion
CVE‑2026‑29168 targets the mod_md module’s OCSP (Online Certificate Status Protocol) response handler. An uncapped resource allocation allows an attacker to send oversized OCSP responses, causing the server to allocate excessive memory or CPU cycles and potentially leading to denial‑of‑service through resource exhaustion. This flaw affects versions 2.4.30 through 2.4.66 and was reported by Pavel Kohout of Aisle Research on March 2 2026. The remedy introduces size limits on OCSP responses and ensures that allocation failures are handled gracefully, preventing unbounded consumption of server resources.
Additional Lower‑Severity Flaws: mod_dav_lock NULL Pointer Dereference
CVE‑2026‑29169 is a Low‑severity NULL pointer dereference in mod_dav_lock that can be triggered by a malformed request, resulting in a server crash (denial‑of‑service). Notably, mod_dav_lock is not used by the core mod_dav or mod_dav_fs modules; its only known deployment is with older versions of mod_dav_svn from Apache Subversion prior to 1.2.0. As a mitigation, administrators who cannot upgrade immediately may simply disable or remove the mod_dav_lock module, which eliminates the attack vector without affecting core WebDAV functionality. The patch adds a null‑check before dereferencing the pointer, preventing the crash.
Risk Assessment and Global Impact
Given the extensive deployment of Apache HTTP Server across enterprises, cloud providers, and embedded devices, the RCE risk posed by CVE‑2026‑23918 represents a substantial threat to worldwide infrastructure. An adversary capable of sending malicious HTTP/2 traffic could compromise web servers, pivot to internal networks, exfiltrate data, or deploy ransomware. While the other vulnerabilities are less severe, they collectively expand the attack surface: privilege escalation via .htaccess, resource exhaustion, and denial‑of‑service possibilities could be leveraged in multi‑stage attacks. Organizations that rely on Apache for public‑facing sites, APIs, or internal services should prioritize the upgrade to 2.4.67 as a critical component of their vulnerability‑management program.
Immediate Mitigation and Upgrade Guidance
The definitive remediation is to upgrade to Apache HTTP Server 2.4.67, which incorporates fixes for all five CVEs. If an immediate upgrade is operationally infeasible, administrators should consider the following temporary measures:
- Disable HTTP/2 (e.g., by turning off the
Protocols h2 h2cdirective) to eliminate exposure to the double‑free flaw. - Remove the mod_dav_lock module if it is not required, thereby mitigating CVE‑2026‑29169.
- Review and tighten .htaccess file permissions, restricting write access to trusted users only, to reduce the risk posed by CVE‑2026‑24072.
- Monitor AJP traffic for anomalous messages and consider disabling mod_proxy_ajp unless absolutely necessary.
- Enable logging and alerting for unusually large OCSP responses to detect attempts to exploit CVE‑2026‑29168.
These steps reduce the likelihood of successful exploitation while a scheduled upgrade is planned.
Best Practices for Ongoing Apache Hardening
Beyond applying the 2.4.67 patch, organizations should adopt a proactive hardening posture for Apache HTTP Server:
- Subscribe to the Apache Security Announcements mailing list and enable automatic notifications for new releases.
- Maintain an inventory of all Apache instances, including version numbers and enabled modules, to facilitate rapid assessment of exposure.
- Implement a Web Application Firewall (WAF) or reverse proxy with request‑size limits and HTTP/2 sanitization layers.
- Regularly audit .htaccess and configuration files for overly permissive directives, especially in shared‑hosting environments.
- Conduct periodic penetration testing focused on protocol‑level weaknesses (e.g., HTTP/2, AJP) to validate mitigations.
- Keep underlying operating systems and dependencies up‑to‑date, as many exploits rely on chaining OS‑level privilege escalation with web‑server flaws.
By combining timely patching with these operational controls, administrators can significantly reduce the risk posed by the vulnerabilities disclosed in Apache HTTP Server 2.4.67 and maintain a resilient web‑infrastructure posture.