MONDAY · 18 MAY 2026№ 013

AMARTUVSHIN

Simplicity over complexity, quantity over quality.

Security Engineer · Notes from building at speed

amartuvshin.com
◆ Essay № 08Security1 min read

Apache HTTP/2's double-free

CVE-2026-23918 — a HEADERS-then-RST_STREAM dance triggers a double-free in mod_http2. DoS today, potentially RCE.

Published
May 18, 2026
Reading time
1 minutes

HTTP/2 stream cleanup is hard, and Apache just paid for that.

CVE-2026-23918 is a double-free in Apache httpd 2.4.66's mod_http2, in the stream cleanup path of h2_mplx.c. The trigger is concise: a client sends an HTTP/2 HEADERS frame, then a RST_STREAM with a non-zero error code on the same stream, before the multiplexer has registered the stream. The cleanup runs twice. The allocator notices.

Confirmed impact today: denial of service. The Apache advisory acknowledges potential RCE under heap-shaping conditions. Nobody's published a reliable RCE chain yet, which is small comfort.

§ 01 What to do

Patch to 2.4.67. If you can't, disable mod_http2 (HTTP/1.1 is fine for most edges in front of a real load balancer) or front Apache with a different terminator that won't pass malformed HTTP/2 through.

The deeper lesson is the one Apache keeps re-teaching: protocol-state machines that hand-roll their own multiplexing are the consistent source of these bugs. If you're writing one in 2026, you're choosing to.

Up NextAll essays →
Security

CVE-2026-20182 — a 10.0 on Cisco SD-WAN, in the wild

Authentication bypass with admin privileges. CISA gave federal agencies until May 17 to patch.

Continue reading