Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
The Apache Software Foundation has released a critical security update for Apache HTTP Server<\/a>, patching five vulnerabilities, including a dangerous double-free flaw capable of enabling Remote Code Execution (RCE) in version 2.4.67, released on May 4, 2026. All users running version 2.4.66 or earlier are strongly urged to upgrade immediately.<\/p>\n The most severe of the five vulnerabilities is CVE-2026-23918, rated High with a CVSS base score of 8.8.<\/p>\n The flaw is a double-free memory corruption bug triggered within Apache\u2019s HTTP\/2 protocol implementation during an \u201cearly stream reset\u201d sequence.<\/p>\n A double-free vulnerability occurs when a program attempts to release the same memory region twice, corrupting heap memory structures and potentially enabling an attacker to redirect execution flow in this case, opening the door to Remote Code Execution.<\/p>\n The vulnerability exclusively affects Apache HTTP Server version 2.4.66 and was first reported to the Apache security team on December 10, 2025, by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl.<\/p>\n A fix was committed in revision A second flaw, CVE-2026-24072, is rated Moderate and targets The vulnerability allows local This bug affects Apache HTTP Server<\/a> 2.4.66 and earlier and was reported on January 20, 2026, by researcher y7syeu.<\/p>\n Three further lower-severity flaws were also addressed in the same 2.4.67 update:<\/p>\n Given Apache HTTP Server\u2019s enormous global footprint, the RCE risk posed by CVE-2026-23918 represents a significant threat to enterprise infrastructure worldwide. Administrators should take the following actions immediately:<\/p>\n Free Webinar to align your endpoint security to meet new requirements \u2013 Register Now<\/strong><\/a><\/p>\n The post Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nr1930444<\/code> the very next day, December 11, 2025, with the public patch shipped in the 2.4.67 release on May 4, 2026.<\/p>\nmod_rewrite<\/code>\u2018s use of ap_expr<\/code> expression evaluation.<\/p>\n.htaccess<\/code> authors to read arbitrary files with the privileges of the httpd<\/code> user, effectively enabling an escalation of privileges beyond their intended access level.<\/p>\nAdditional Vulnerabilities Patched<\/strong><\/h2>\n
\n
mod_proxy_ajp<\/code> via ajp_msg_check_header()<\/code>. If mod_proxy_ajp<\/code> connects to a malicious AJP server, that server can send a crafted AJP message causing the module to write 4 attacker-controlled bytes beyond the end of a heap buffer. Reported independently by four researchers between February and March 2026.<\/li>\nmod_md<\/code>\u2018s OCSP response handler. Attackers could exploit this to exhaust server resources via oversized OCSP response data. Affects versions 2.4.30 through 2.4.66, reported by Pavel Kohout of Aisle Research on March 2, 2026.<\/li>\nmod_dav_lock<\/code> that allows an attacker to crash the server using a maliciously crafted request. Notably, mod_dav_lock<\/code> is not used internally by mod_dav<\/code> or mod_dav_fs<\/code> \u2014 its only known use case was with mod_dav_svn<\/code> from Apache Subversion versions prior to 1.2.0. As a mitigation, administrators who cannot upgrade immediately may simply remove mod_dav_lock<\/code>.<\/li>\n<\/ul>\n\n\n
\n \nCVE<\/th>\n Severity<\/th>\n Component<\/th>\n Impact<\/th>\n Affected Versions<\/th>\n<\/tr>\n<\/thead>\n \n CVE-2026-23918<\/td>\n High (CVSS 8.8)<\/td>\n HTTP\/2<\/td>\n Double Free \/ RCE<\/td>\n 2.4.66 only<\/td>\n<\/tr>\n \n CVE-2026-24072<\/td>\n Moderate<\/td>\n mod_rewrite (ap_expr)<\/td>\n Privilege Escalation<\/td>\n \u2264 2.4.66<\/td>\n<\/tr>\n \n CVE-2026-28780<\/td>\n Low<\/td>\n mod_proxy_ajp<\/td>\n Heap Buffer Overflow<\/td>\n \u2264 2.4.66<\/td>\n<\/tr>\n \n CVE-2026-29168<\/td>\n Low<\/td>\n mod_md (OCSP)<\/td>\n Resource Exhaustion<\/td>\n 2.4.30\u20132.4.66<\/td>\n<\/tr>\n \n CVE-2026-29169<\/td>\n Low<\/td>\n mod_dav_lock<\/td>\n NULL Ptr Dereference \/ DoS<\/td>\n \u2264 2.4.66<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Mitigations<\/h2>\n
\n
mod_dav_lock<\/code><\/strong> if the module is not in active use, as an interim mitigation for CVE-2026-29169.<\/li>\n.htaccess<\/code> permissions<\/strong> to limit exposure to CVE-2026-24072 in environments where local user access is a concern.<\/li>\n<\/ol>\n