Share
## https://sploitus.com/exploit?id=6E9B0B31-6FD4-5E8C-9907-69DF0B4465A1
# CVE-2026-23918-test
This repository contains a Proof of Concept (PoC) demonstrating the Double Free vulnerability (CVE-2026-23918) in Apache HTTP Server 2.4.66 `mod_http2`.


The vulnerability stems from a race condition during early RST_STREAM frame processing. I focused on the timing window where the session handler and backend worker both attempt to purge the stream's memory pool, leading to a double free in the APR allocator.

Current Progress
Crash Triggered: Successfully hit the race condition locally. The Apache child process terminates with a Segmentation fault (11).

DoS Status: At this stage, the PoC achieves a reliable Denial of Service by corrupting the allocator's free list.

RCE Research Path
To progress from a crash to execution, the following areas require further work:

Heap Grooming: Stabilizing the heap to ensure the corrupted chunk overlaps with a predictable structure.

Control Flow: Overwriting apr_pool_cleanup_register or similar function pointers to redirect execution.

ROP Chain: Building a chain to bypass NX/ASLR once the instruction pointer is controlled.

Files
Dockerfile: Sets up a vulnerable 2.4.66 instance with HTTP/2 enabled.

poc.py: Script designed to trigger the race condition through rapid frame sequencing.