Critical Apache HTTP/2 double-free vulnerability (CVE-2026-23918) enables DoS and potential RCE

The Apache Software Foundation released security updates on May 4, 2026, addressing five vulnerabilities in HTTP Server 2.4.67, including CVE-2026-23918 (CVSS 8.8), a double-free memory corruption flaw in the HTTP/2 protocol implementation that can enable denial-of-service and potential remote code execution. The bug is triggered when a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM with a non-zero error code on the same stream before the multiplexer registers it. The vulnerability affects only version 2.4.66 and was reported by Bartlomiej Dmitruk (striga.ai) and Stanislaw Strzalkowski (isec.pl) on December 10, 2025, with a fix committed the next day. Also patched: CVE-2026-24072 (mod_rewrite privilege escalation), CVE-2026-28780 (mod_proxy_ajp heap buffer overflow), CVE-2026-29168 (mod_md OCSP resource exhaustion), and CVE-2026-29169 (mod_dav_lock NULL pointer dereference). Apache HTTP Server powers a significant portion of global web infrastructure.