The Apache Software Foundation released Apache HTTP Server 2.4.67 on May 4, 2026, addressing five security vulnerabilities, including a critical double-free memory corruption flaw that could enable Remote Code Execution (RCE). All users running version 2.4.66 or earlier are strongly urged to upgrade immediately.
The most severe flaw in this release is CVE-2026-23918, rated High with a CVSS base score of 8.8. The vulnerability is a double-free memory corruption bug triggered within Apache’s HTTP/2 protocol implementation during an “early stream reset” sequence.
A double-free vulnerability occurs when a program attempts to free the same memory region twice, corrupting heap memory structures and potentially allowing an attacker to redirect execution flow, opening the door to full Remote Code Execution. The flaw exclusively affects Apache HTTP Server version 2.4.66.
Apache HTTP Server 2.4.67 Patches
Security researchers Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl first reported the vulnerability to the Apache security team on December 10, 2025.
A fix was committed in revision r1930444 just one day later, on December 11, 2025, with the public patch officially shipped in the 2.4.67 release on May 4, 2026.
A second flaw, CVE-2026-24072, rated Moderate, targets mod_rewrite’s use of the ap_expr expression evaluation mechanism.
The vulnerability allows local .htaccess authors to read arbitrary files with the privileges of the httpd user, effectively escalating their access beyond intended boundaries.
This bug affects Apache HTTP Server versions 2.4.66 and earlier, and was reported on January 20, 2026, by researcher y7syeu.
Additional Vulnerabilities Patched
Three lower-severity flaws were also addressed in the 2.4.67 update:
- CVE-2026-28780 — A heap-based buffer overflow in
mod_proxy_ajpviaajp_msg_check_header(). Ifmod_proxy_ajpconnects to a malicious AJP server, a crafted AJP message can cause the module to write 4 attacker-controlled bytes beyond a heap buffer boundary. Independently reported by four researchers between February and March 2026. - CVE-2026-29168 — An uncapped resource allocation flaw in
mod_md‘s OCSP response handler, exploitable to exhaust server resources via oversized OCSP response data. Affects versions 2.4.30 through 2.4.66; reported by Pavel Kohout of Aisle Research on March 2, 2026. - CVE-2026-29169 — A NULL pointer dereference in
mod_dav_lockallowing attackers to crash the server via a maliciously crafted request. Administrators who cannot upgrade immediately can remove mod_dav_lock as an interim mitigation, since its only known use case was with mod_dav_svn Apache Subversion versions before 1.2.0.
Mitigation
Given Apache HTTP Server’s massive global deployment, the RCE risk posed by CVE-2026-23918 represents a serious threat to enterprise infrastructure worldwide. Administrators should take the following actions immediately:
- Upgrade to Apache HTTP Server 2.4.67, the only complete remediation for all five vulnerabilities
- Disable HTTP/2 temporarily if an immediate upgrade is not feasible, to reduce exposure to CVE-2026-23918
- Remove mod_dav_lock if not actively in use, as an interim mitigation for CVE-2026-29169
- Audit .htaccess permissions to limit exposure to CVE-2026-24072 in environments with local user access concerns
No Comment! Be the first one.