{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "2.4.66", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk, striga.ai" }, { "lang": "en", "type": "finder", "value": "Stanislaw Strzalkowski, isec.pl" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.

This issue affects Apache HTTP Server: 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

" } ], "value": "Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.\n\nThis issue affects Apache HTTP Server: 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue." } ], "metrics": [ { "other": { "content": { "text": "important" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-415", "description": "CWE-415 Double Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09" }, "source": { "discovery": "UNKNOWN" }, "timeline": [ { "lang": "en", "time": "2025-12-10T14:02:00.000Z", "value": "reported in PR 69899" }, { "lang": "en", "time": "2025-12-11T14:03:00.000Z", "value": "fixed in r1930444" }, { "lang": "eng", "time": "2026-05-04", "value": "2.4.67 released" } ], "title": "Apache HTTP Server: http2: double free and possible RCE on early reset", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "cveId": "CVE-2026-23918", "serial": 1, "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }