Apache HTTP/2 Double-Free in mod_http2 Opens Path to DoS and RCE

Apache HTTP Server 2.4.66 ships with a double-free vulnerability in mod_http2’s stream cleanup logic, tracked as CVE-2026-23918 with a CVSS of 8.8 and patched in 2.4.67. The bug fires when a client sends an HTTP/2 HEADERS frame immediately followed by RST_STREAM on the same stream before the multiplexer registers it, causing two nghttp2 callbacks to push the same h2_stream pointer onto the spurge cleanup array twice. The second pool destroy then operates on already-freed memory.

Denial of service is trivial against any default build using mod_http2 with a multi-threaded MPM: a single TCP connection and two frames crashes the worker, with no authentication or specific endpoint required. Sustained traffic keeps respawned workers dying. Remote code execution is harder but demonstrated on x86_64 against APR builds using the mmap allocator, which is the default on Debian-derived distros and the official httpd Docker image. The proof-of-concept reuses the freed address via mmap, plants a fake h2_stream whose cleanup function points to system(), and parks the command string in Apache’s scoreboard, which sits at a fixed address even with ASLR enabled.

MPM prefork deployments are not exposed, but mod_http2 ships in default builds and HTTP/2 is widely enabled, making the attack surface broad. Practical RCE still requires an info leak for the scoreboard offsets and system()‘s address, and the heap spray is probabilistic, but lab exploitation lands in minutes. Operators should move to 2.4.67 immediately or, if patching has to wait, disable mod_http2 or fall back to prefork.