CVE-2026-23918: Critical Apache HTTP/2 Flaw Can Trigger DoS and Possible RCE

CVE-2026-23918 is a critical double-free flaw in Apache HTTP Server's HTTP/2 handling (mod_http2) that can crash worker processes and, under favorable conditions, lead to remote code execution; Apache patched the issue in version 2.4.67 (released May 4, 2026). Systems running 2.4.66 with mod_http2 and threaded MPMs are most at risk—immediate mitigation is to upgrade to 2.4.67 or reduce HTTP/2 exposure until patched.