Critical Vulnerability in Apache HTTP Server Disclosed (CVE-2026-23918)
Executive Summary
On May 4th, 2026 Apache released an advisory regarding a flaw that under certain conditions, could allow unauthenticated remote code execution (RCE) in Apache HTTP Server version 2.4.66. Tracked as CVE-2026-23918, the vulnerability stems from a memory corruption bug within the version’s implementation.
Beyond potential for remote code execution, the flaw can also be exploited to cause a DoS condition and is considered weaponizable due to its lower complexity to exploit.
Due to the widespread usage of Apache HTTP server and the lower-effort denial of service attack vector, the vulnerability could become targeted by opportunistic threat actors. Beazley Security recommends patching to a fixed version (2.4.67) of Apache HTTP Server reduce risk of service disruption or future exploitation.
Affected Systems and Products
Mitigations and Workarounds
If upgrading Apache HTTP Server to version 2.4.67 is not immediately an option, the following temporary mitigations might help to reduce risk:
- Temporarily disable HTTP/2 by removing it from Apache configurations, which could impact performance of the server.
- Place Apache HTTP Servers behind a Web Application Firewall (WAF) to block malicious HTTP/2 requests and perform rate limiting to limit DoS potential.
Patches
Fixes have been made available byApache and additional information on upgrade paths can be found here.
Technical Details
Limited technical details have been publicly released by Apache on the vulnerability, however the flaw is classified as a double-free vulnerability within Apache HTTP Server’s mod_http2 module. According to researchers that reported the vulnerability, the flaw exists specifically in part of the multiplexer component (h2_mplx.c) code.
The potential RCE attack path is driven by a race condition, where an attacker attempts to make the server process two related events on the same connection before the initial web request is fully completed. This timing issue can lead to memory being freed and then reused by the server in an unsafe way. If an attacker can control what data is placed into memory when reused, the server may execute arbitrary commands within. While technically possible, the attack is more difficult to perform reliably.
At the time of writing, there is no evidence of RCE exploitation in the wild and the RCE is complex to perform consistently in practice. Because of the same timing issue, a lesser complexity DoS attack path exists and repeatedly triggering the condition could force an affected server to crash or become unresponsive disrupting hosting services.
In many deployments, mod_http2 is built in and enabled by default. While full exploitation leading to remote code execution is theoretically more complex, the widespread use of Apache HTTP Server on the internet widens attack surface and makes a lower-effort denial of service attack a valid target for opportunistic threat actors. Beazley Security recommends patching to a fixed version (2.4.67) of Apache HTTP Server to remediate the vulnerability and reduce risk of service disruption or future exploitation.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
Sources
Aware of an incident impacting your industry? Let us know: