The Apache HTTP Server project has released a maintenance release. httpd 2.4.67, in which the vulnerability has been eliminated CVE-2026-23918 in the HTTP/2 implementation. The issue has been rated as critical important and is related to a class error double free when handling the early connection reset scenario in HTTP/2. Under unfavorable conditions, the error can lead not only to a crash of the workflow, but also to potential remote code execution.
According to Apache's description, the vulnerability affects Apache HTTP Server 2.4.66Users of this version are advised to upgrade to 2.4.67, where the issue has been fixed. Bartlomiej Dmitruk from striga.ai and Stanislaw Strzalkowski from isec.pl are listed as the people who discovered the vulnerability.
The release's changelog also notes the update. mod_http2 up to version 2.0.37, which prevented a repeated stream purge that led to a double free, and then to 2.0.38 and 2.0.39. In addition to CVE-2026-23918, the release addresses a number of other security issues in mod_proxy_ajp, mod_auth_digest, mod_authn_socache, mod_md, mod_rewrite, and other components.
Release Apache httpd 2.4.67 Published on May 4, 2026, this release is the current recommended version of the 2.4.x stable branch. Administrators using Apache with HTTP/2 enabled should consider this upgrade a priority, especially if 2.4.66 is already in use.
Source: linux.org.ru
