Critical Apache HTTP/2 flaw enables RCE. Patch is 2.4.67.

A critical vulnerability in Apache HTTP Server's HTTP/2 implementation has been disclosed. CVE-2026-23918 is a double-free with potential remote code execution, affecting Apache HTTP Server up to and including 2.4.66. The fix is in 2.4.67 [The Hacker News].

── What shipped ──

The vulnerability is in the HTTP/2 protocol handling — not the modules above it. Any Apache HTTPD instance with HTTP/2 enabled (mod_http2) is in scope, regardless of which application sits behind it.

Apache has released 2.4.67 with the fix. No public exploit code at the time of this brief, but the class of bug (double-free) is well-understood and exploit development is straightforward.

── Why it matters ──

The reach is the story. Apache HTTPD is still one of the most-deployed web servers globally, particularly in enterprise and legacy stacks where HTTP/2 was added without much thought. WordPress hosting, internal admin portals, and downstream-of-CDN origin servers are all common deployment surfaces.

Your exposure check, in order:

1. apachectl -v — confirm version. Anything ≤ 2.4.66 is vulnerable.
2. apachectl -M | grep http2 — confirm HTTP/2 is loaded. If it is, you are exposed.
3. Patch to 2.4.67 if your distro has it packaged. If not, disable mod_http2 until the package lands.

CDNs in front of origin servers do not protect against this if HTTP/2 terminates at the origin. CloudFront, Cloudflare, and Fastly typically terminate HTTP/2 at their edge — but origin pulls can still negotiate HTTP/2 if both sides support it.

── Editor's take ──

This is an action item, not a story. Patch tonight if you can. If you can't patch tonight, disable HTTP/2 tonight. The exploit window between disclosure and weaponisation is shrinking; the prudent assumption is days, not weeks.