ctipilot.chSwitzerland · Europe · Public sector

Apache HTTP Server 2.4.66 — HTTP/2 double-free RCE (CVSS 8.8)

cve · CVE-2026-23918

First covered
2026-05-06
Last covered
2026-05-06
Appearances
1

All cited sources for this topic (2)

Story timeline

  1. 2026-05-06CTI Daily Brief — 2026-05-06
    active_vulnsFirst coverage. Double-free in mod_http2 on early stream reset; DoS trivial, RCE requires APR mmap allocator (default Debian/Docker); PoC confirmed; fixed in Apache 2.4.67.