CVE Vulnerabilities

CVE-2026-23918

Double Free

Published: May 04, 2026 | Modified: Jun 30, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
8.8 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
HIGH
root.io logo minimus.io logo echo.ai logo

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.

This issue affects Apache HTTP Server: 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Weakness

The product calls free() twice on the same memory address.

Affected Software

NameVendorStart VersionEnd Version
Http_serverApache2.4.66 (including)2.4.66 (including)
Red Hat Hardened ImagesRedHathttpd-main-2.4.67-0.1.hum1*
Apache2Ubuntudevel*
Apache2Ubunturesolute*
Apache2Ubuntuupstream*

Potential Mitigations

References