Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks

Discover more Zero-day threat detection Software Computer security consulting HomeCyber Security News Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks By Guru Baran May 5, 2026 The Apache Software Foundation has released a critical security update for Apache HTTP Server, patching five vulnerabilities, including a dangerous double-free flaw capable of enabling Remote Code Execution (RCE) in version 2.4.67, released on May 4, 2026. All users running version 2.4.66 or earlier are strongly urged to upgrade immediately. The most severe of the five vulnerabilities is CVE-2026-23918, rated High with a CVSS base score of 8.8. The flaw is a double-free memory corruption bug triggered within Apache’s HTTP/2 protocol implementation during an “early stream reset” sequence. A double-free vulnerability occurs when a program attempts to release the same memory region twice, corrupting heap memory structures and potentially enabling an attacker to redirect execution flow in this case, opening the door to Remote Code Execution. The vulnerability exclusively affects Apache HTTP Server version 2.4.66 and was first reported to the Apache security team on December 10, 2025, by Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl. A fix was committed in revision r1930444 the very next day, December 11, 2025, with the public patch shipped in the 2.4.67 release on May 4, 2026. A second flaw, CVE-2026-24072, is rated Moderate and targets mod_rewrite‘s use of ap_expr expression evaluation. The vulnerability allows local .htaccess authors to read arbitrary files with the privileges of the httpd user, effectively enabling an escalation of privileges beyond their intended access level. This bug affects Apache HTTP Server 2.4.66 and earlier and was reported on January 20, 2026, by researcher y7syeu. Additional Vulnerabilities Patched Three further lower-severity flaws were also addressed in the same 2.4.67 update: CVE-2026-28780 — A heap-based buffer overflow in mod_proxy_ajp via ajp_msg_check_header(). If mod_proxy_ajp connects to a malicious AJP server, that server can send a crafted AJP message causing the module to write 4 attacker-controlled bytes beyond the end of a heap buffer. Reported independently by four researchers between February and March 2026. CVE-2026-29168 — An uncapped resource allocation vulnerability in mod_md‘s OCSP response handler. Attackers could exploit this to exhaust server resources via oversized OCSP response data. Affects versions 2.4.30 through 2.4.66, reported by Pavel Kohout of Aisle Research on March 2, 2026. CVE-2026-29169 — A NULL pointer dereference in mod_dav_lock that allows an attacker to crash the server using a maliciously crafted request. Notably, mod_dav_lock is not used internally by mod_dav or mod_dav_fs — its only known use case was with mod_dav_svn from Apache Subversion versions prior to 1.2.0. As a mitigation, administrators who cannot upgrade immediately may simply remove mod_dav_lock. CVE Severity Component Impact Affected Versions CVE-2026-23918 High (CVSS 8.8) HTTP/2 Double Free / RCE 2.4.66 only CVE-2026-24072 Moderate mod_rewrite (ap_expr) Privilege Escalation ≤ 2.4.66 CVE-2026-28780 Low mod_proxy_ajp Heap Buffer Overflow ≤ 2.4.66 CVE-2026-29168 Low mod_md (OCSP) Resource Exhaustion 2.4.30–2.4.66 CVE-2026-29169 Low mod_dav_lock NULL Ptr Dereference / DoS ≤ 2.4.66 Mitigations Given Apache HTTP Server’s enormous global footprint, the RCE risk posed by CVE-2026-23918 represents a significant threat to enterprise infrastructure worldwide. Administrators should take the following actions immediately: Upgrade to Apache HTTP Server 2.4.67 — the only complete fix for all five vulnerabilities. Disable HTTP/2 temporarily if an immediate upgrade is not feasible to reduce exposure to CVE-2026-23918. Remove mod_dav_lock if the module is not in active use, as an interim mitigation for CVE-2026-29169. Audit .htaccess permissions to limit exposure to CVE-2026-24072 in environments where local user access is a concern. Free Webinar to align your endpoint security to meet new requirements – Register Now Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Ransomware Victims Jump to 7,831 as AI Crime Tools Scale Global Attacks DigiCert Hacked via Weaponized Screensaver File to Obtain EV Code Signing Certificates Anthropic Launches Claude Security in Public Beta for Enterprise Customers New MicroStealer Malware Actively Attacking Telecom & Education Sectors New Silver Fox Campaign Uses Fake Tax Audit Alerts and Software Updates to Deliver Malware Latest News Cyber Security WhatsApp Vulnerability Lets Attackers Leverage Instagram Reels to Execute Malicious URLs Cyber Security News Instagram’s to End Encrypted Chats for Direct Messages Cyber Security News Beware of Fake ‘Notepad++ for Mac’ Website, Possibly Could Harm your Machine Android Critical Android Zero-Click Vulnerability Grants Remote Shell Access Cyber Security News pnpm 11 Turns On Minimum Release Age by Default to Reduce npm Supply Chain Risk