[SECURITY-L] Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks

CSIRT Unicamp security em unicamp.br
Terça Maio 5 08:55:10 -03 2026 

Critical Apache HTTP Server Flaw Exposes Millions of Servers to RCE Attacks
Fonte: https://cybersecuritynews.com/apache-http-server-rce/

The Apache Software Foundation has released a critical security update
for Apache
HTTP Server
<https://cybersecuritynews.com/apache-http-server-2-4-64-released/>,
patching five vulnerabilities, including a dangerous double-free flaw
capable of enabling Remote Code Execution (RCE) in version 2.4.67, released
on May 4, 2026. All users running version 2.4.66 or earlier are strongly
urged to upgrade immediately.

The most severe of the five vulnerabilities is CVE-2026-23918, rated High
with a CVSS base score of 8.8.

The flaw is a double-free memory corruption bug triggered within Apache’s
HTTP/2 protocol implementation during an “early stream reset” sequence.

A double-free vulnerability occurs when a program attempts to release the
same memory region twice, corrupting heap memory structures and potentially
enabling an attacker to redirect execution flow in this case, opening the
door to Remote Code Execution.

The vulnerability exclusively affects Apache HTTP Server version 2.4.66 and
was first reported to the Apache security team on December 10, 2025, by
Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl.

A fix was committed in revision r1930444 the very next day, December 11,
2025, with the public patch shipped in the 2.4.67 release on May 4, 2026.

A second flaw, CVE-2026-24072, is rated Moderate and targets mod_rewrite‘s
use of ap_expr expression evaluation.

The vulnerability allows local .htaccess authors to read arbitrary files
with the privileges of the httpd user, effectively enabling an escalation
of privileges beyond their intended access level.

This bug affects Apache HTTP Server
<https://httpd.apache.org/security/vulnerabilities_24.html> 2.4.66 and
earlier and was reported on January 20, 2026, by researcher y7syeu.
*Additional Vulnerabilities Patched*

Three further lower-severity flaws were also addressed in the same 2.4.67
update:

   - *CVE-2026-28780* — A heap-based buffer overflow in mod_proxy_ajp via
   ajp_msg_check_header(). If mod_proxy_ajp connects to a malicious AJP
   server, that server can send a crafted AJP message causing the module to
   write 4 attacker-controlled bytes beyond the end of a heap buffer. Reported
   independently by four researchers between February and March 2026.
   - *CVE-2026-29168* — An uncapped resource allocation vulnerability in
   mod_md‘s OCSP response handler. Attackers could exploit this to exhaust
   server resources via oversized OCSP response data. Affects versions 2.4.30
   through 2.4.66, reported by Pavel Kohout of Aisle Research on March 2, 2026.
   - *CVE-2026-29169* — A NULL pointer dereference in mod_dav_lock that
   allows an attacker to crash the server using a maliciously crafted request.
   Notably, mod_dav_lock is not used internally by mod_dav or mod_dav_fs —
   its only known use case was with mod_dav_svn from Apache Subversion
   versions prior to 1.2.0. As a mitigation, administrators who cannot upgrade
   immediately may simply remove mod_dav_lock.

CVE Severity Component Impact Affected Versions
CVE-2026-23918 High (CVSS 8.8) HTTP/2 Double Free / RCE 2.4.66 only
CVE-2026-24072 Moderate mod_rewrite (ap_expr) Privilege Escalation ≤ 2.4.66
CVE-2026-28780 Low mod_proxy_ajp Heap Buffer Overflow ≤ 2.4.66
CVE-2026-29168 Low mod_md (OCSP) Resource Exhaustion 2.4.30–2.4.66
CVE-2026-29169 Low mod_dav_lock NULL Ptr Dereference / DoS ≤ 2.4.66
Mitigations

Given Apache HTTP Server’s enormous global footprint, the RCE risk posed by
CVE-2026-23918 represents a significant threat to enterprise infrastructure
worldwide. Administrators should take the following actions immediately:

   1. *Upgrade to Apache HTTP Server 2.4.67* — the only complete fix for
   all five vulnerabilities.
   2. *Disable HTTP/2* temporarily if an immediate upgrade is not feasible
   to reduce exposure to CVE-2026-23918.
   3. *Remove mod_dav_lock* if the module is not in active use, as an
   interim mitigation for CVE-2026-29169.
   4. *Audit .htaccess permissions* to limit exposure to CVE-2026-24072 in
   environments where local user access is a concern.







Computer Security Incident Response Team - CSIRT
Diretoria Executiva de Tecnologia da Informação e Comunicação - DETIC
Universidade Estadual de Campinas - Unicamp
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://listas.unicamp.br/pipermail/security-l/attachments/20260505/c51d66b1/attachment.htm>

Mais detalhes sobre a lista de discussão SECURITY-L