Share
## https://sploitus.com/exploit?id=A0490CD5-A987-5168-91C3-E9E9264A02DF
# CVE-2026-23918 Apache mod_http2 Double-Free Detector
https://github.com/user-attachments/assets/d6c30e58-548c-4b6d-9ba3-baa667238a58
# Vulnerability Summary
| Field | Value |
|---|---|
| CVE | CVE-2026-23918 |
| Severity | High |
| CVSS | 8.8 |
| Component | Apache httpd mod_http2 |
| Impact | Denial of Service / Potential RCE |
| Fixed Version | Apache httpd 2.4.67 / mod_http2 2.0.37 |
# Technical Details
- **DoS:** trivial trigger using:
- `1 connection`
- `2 HTTP/2 frames`
- **Potential RCE vector**
- APR mmap allocator
- Debian / Docker environments
- **Fix**
- Apache httpd `2.4.67`
- mod_http2 `2.0.37`
# Credits
## Vulnerability Discovery
- Bartlomiej Dmitruk - Striga.ai
- Stanislaw Strzalkowski - ISEC.pl
## Detector Script
- Alex Hernandez aka (@\_alt3kx\_)
# References
- https://vulners.com/cve/CVE-2026-23918
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://github.com/apache/httpd/blob/trunk/CHANGES
- https://bz.apache.org/bugzilla/show_bug.cgi?id=69899
# Disclaimer
This project is provided strictly for:
- Authorized security assessments
- Defensive testing
- Educational research
Unauthorized testing against systems without explicit written permission may violate applicable laws.
The author assumes no liability for misuse.