Share
## https://sploitus.com/exploit?id=A0490CD5-A987-5168-91C3-E9E9264A02DF
# CVE-2026-23918 Apache mod_http2 Double-Free Detector


  


https://github.com/user-attachments/assets/d6c30e58-548c-4b6d-9ba3-baa667238a58

# Vulnerability Summary

| Field | Value |
|---|---|
| CVE | CVE-2026-23918 |
| Severity | High |
| CVSS | 8.8 |
| Component | Apache httpd mod_http2 |
| Impact | Denial of Service / Potential RCE |
| Fixed Version | Apache httpd 2.4.67 / mod_http2 2.0.37 |

# Technical Details

- **DoS:** trivial trigger using:
  - `1 connection`
  - `2 HTTP/2 frames`

- **Potential RCE vector**
  - APR mmap allocator
  - Debian / Docker environments

- **Fix**
  - Apache httpd `2.4.67`
  - mod_http2 `2.0.37`

# Credits

## Vulnerability Discovery
- Bartlomiej Dmitruk - Striga.ai
- Stanislaw Strzalkowski - ISEC.pl

## Detector Script
- Alex Hernandez aka (@\_alt3kx\_)

# References

- https://vulners.com/cve/CVE-2026-23918
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://github.com/apache/httpd/blob/trunk/CHANGES
- https://bz.apache.org/bugzilla/show_bug.cgi?id=69899

# Disclaimer

This project is provided strictly for:

- Authorized security assessments
- Defensive testing
- Educational research

Unauthorized testing against systems without explicit written permission may violate applicable laws.

The author assumes no liability for misuse.