Skip to main content

Apache HTTP Server EUVDEUVD-2026-26955

| CVE-2026-23918 HIGH
Double Free (CWE-415)
2026-05-04 apache
8.8
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 17:16 vuln.today
CVSS changed
May 04, 2026 - 16:22 NVD
8.8 (HIGH)
EUVD ID Assigned
May 04, 2026 - 15:00 euvd
EUVD-2026-26955
Analysis Generated
May 04, 2026 - 15:00 vuln.today
CVE Published
May 04, 2026 - 14:44 nvd
HIGH 8.8

DescriptionCVE.org

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.

This issue affects Apache HTTP Server: 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

AnalysisAI

Remote code execution via double-free memory corruption in Apache HTTP Server 2.4.66's HTTP/2 protocol implementation allows authenticated attackers to compromise server integrity and confidentiality with high impact. Vendor-released patch 2.4.67 addresses the issue. No public exploit or active exploitation confirmed at time of analysis, but SSVC framework rates technical impact as total, indicating complete system compromise potential.

Technical ContextAI

Apache HTTP Server (httpd) is a widely deployed open-source web server maintained by the Apache Software Foundation. This vulnerability affects the HTTP/2 protocol handler module (mod_http2), which manages multiplexed HTTP/2 connections. The flaw is classified as CWE-415 (Double Free), a memory management error where the same memory location is freed twice, causing heap corruption. In HTTP/2 implementations, such corruption can occur during stream management, header processing, or connection cleanup. Double-free conditions are exploitable for arbitrary code execution because they corrupt heap metadata, allowing attackers to manipulate memory allocation patterns and potentially overwrite function pointers or security-critical data structures. The vulnerability is isolated to version 2.4.66, suggesting it was introduced in that specific release rather than being a long-standing architectural flaw.

RemediationAI

Upgrade to Apache HTTP Server 2.4.67 immediately per the official Apache advisory at https://httpd.apache.org/security/vulnerabilities_24.html - this release contains the vendor-confirmed fix for the double-free vulnerability. For environments unable to patch immediately, disable HTTP/2 protocol support by removing or commenting out 'Protocols h2 h2c http/1.1' directives and unloading mod_http2 module, then restart Apache; this eliminates the vulnerable code path but degrades performance for HTTP/2 clients who will fall back to HTTP/1.1, causing increased latency and connection overhead for modern browsers and mobile clients. If disabling HTTP/2 is not operationally feasible, restrict authenticated access to HTTP/2 endpoints through network segmentation, requiring VPN or IP allowlisting for low-privilege authenticated users, though this mitigation is incomplete since authenticated attackers within the trust boundary retain exploit capability. No workaround fully mitigates the risk short of patching or disabling HTTP/2.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

EUVD-2026-26955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy