Apache HTTP Server 2.4.66 — HTTP/2 double-free RCE (CVSS 8.8)
cve · CVE-2026-23918
Coverage timeline
2
first 2026-05-06 → last 2026-05-10
Briefs
2
2 distinct
Sources cited
22
19 hosts
Sections touched
2
active_vulns, weekly_summary
Co-occurring entities
0
no co-occurrence
Story timeline
- 2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
- 2026-05-06CTI Daily Brief — 2026-05-06
Where this entity is cited
- active_vulns1
- weekly_summary1
Source distribution
- github.com4 (18%)
- attack.mitre.org1 (5%)
- badhost.org1 (5%)
- blog.calif.io1 (5%)
- cert.pl1 (5%)
- cert.ssi.gouv.fr1 (5%)
- cve.threatint.eu1 (5%)
- httpd.apache.org1 (5%)
- other11 (50%)
External references
All cited sources (22)
- thehackernews.comprimaryinlineThe Hacker Newshttps://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html
- attack.mitre.orginlineT1059.004 Command and Scripting Interpreter: Unix Shellhttps://attack.mitre.org/techniques/T1059/004/
- badhost.orginlineX41 D-Sec Advisory x41-2026-002, 2026-05-22https://badhost.org/
- blog.calif.ioinlineCalif/Codex, 2026-06-02https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
- cert.plinlineCERT Polska CVE-2026-42096https://cert.pl/en/posts/2026/05/CVE-2026-42096/
- cert.ssi.gouv.frinlineCERT-FR CERTFR-2026-AVI-0530https://www.cert.ssi.gouv.fr/
- cve.threatint.euinlineTHREATINT, 2026-06-01https://cve.threatint.eu/CVE/CVE-2026-44825
- github.cominlineGitHub Advisory GHSA-86qp-5c8j-p5mrhttps://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr
- github.cominlinePHP GHSA-85c2-q967-79q5https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5
- github.cominlineGHSA-hmxp-6pc4-f3vvhttps://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv
- github.cominlineGHSA-m33r-qmcv-p97qhttps://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q
- httpd.apache.orginlineApache HTTP Server security pagehttps://httpd.apache.org/security/vulnerabilities_24.html
- isc.sans.eduinlineSANS ISC, 2026-06-09https://isc.sans.edu/diary/rss/33064
- msrc.microsoft.cominlineMicrosoft MSRC, 2026-06-09https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-47291
- openwall.cominlineoss-security, 2026-06-03https://www.openwall.com/lists/oss-security/2026/06/03/3
- php.netinlinePHP 8 ChangeLoghttps://www.php.net/ChangeLog-8.php
- php.watchinlinephp.watch — PHP 8.5.6 release, 2026-05-07https://php.watch/versions/8.5/releases/8.5.6
- rapid7.cominlineRapid7, 2026-06-09https://www.rapid7.com/blog/post/em-patch-tuesday-june-2026
- seclists.orginlineoss-securityhttps://seclists.org/oss-sec/2026/q2/790
- securityweek.cominlineSecurityWeek, 2026-05-05https://www.securityweek.com/critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server/
- tenable.cominlineTenable, 2026-06-09https://www.tenable.com/blog/microsofts-june-2026-patch-tuesday-addresses-198-cves-cve-2026-49160-cve-2026-50507
- wid.cert-bund.deinlineBSI CERT-Bund WID-SEC-2026-1740, 2026-06-01https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1740
Items in briefs about Apache HTTP Server 2.4.66 — HTTP/2 double-free RCE (CVSS 8.8)
No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.