## https://sploitus.com/exploit?id=A073AC78-1452-570E-B94C-54F2AC0751AA
# cve-2026-23918
Defensive audit tools for **CVE-2026-23918** (Apache HTTPD HTTP/2 double-free RCE) and four related CVEs disclosed in the May 4, 2026 Apache Software Foundation security advisory.
| CVE | Severity | Component | Impact | Affected |
| --- | --- | --- | --- | --- |
| **CVE-2026-23918** | High (CVSS 8.8) | HTTP/2 | Double Free / RCE | 2.4.66 only |
| CVE-2026-24072 | Moderate | `mod_rewrite` (`ap_expr`) | Privilege Escalation | โค 2.4.66 |
| CVE-2026-28780 | Low | `mod_proxy_ajp` | Heap Buffer Overflow | โค 2.4.66 |
| CVE-2026-29168 | Low | `mod_md` (OCSP) | Resource Exhaustion | 2.4.30 โ 2.4.66 |
| CVE-2026-29169 | Low | `mod_dav_lock` | NULL Ptr Deref / DoS | โค 2.4.66 |
All issues are patched in **Apache HTTP Server 2.4.67**.
---
## โ ๏ธ Authorization & Scope
These tools are intended for use **only against systems you own or have explicit written authorization to test**. Unauthorized scanning may be illegal in your jurisdiction.
The toolkit is **defensive by design**:
- No vulnerability payloads, no exploit attempts, no intrusive probing.
- The passive scanner reads only the standard `Server:` HTTP header and uses standard TLS ALPN โ the same mechanism every modern browser uses to negotiate HTTP/2.
- The local auditor is read-only; no file or configuration is modified.
---
## Contents
```
.
โโโ apache_passive_audit.py # External asset audit (banner-grab + ALPN)
โโโ apache_local_audit.py # On-host / SSH local audit
โโโ LICENSE # MIT
โโโ .gitignore
โโโ README.md
```
## Requirements
- **Python 3.6+** โ works on Ubuntu 18.04's default `python3` and every later release.
- Standard library only โ **no external dependencies**.
## Installation
```bash
git clone https://github.com/sibersan/cve-2026-23918.git
cd cve-2026-23918
chmod +x apache_passive_audit.py apache_local_audit.py
```
---
## 1. Passive Audit โ `apache_passive_audit.py`
Reads the HTTP `Server:` header to detect the Apache version and matches it against the CVE table. Additionally, for HTTPS targets, performs a standard TLS ALPN negotiation to determine whether HTTP/2 is exposed โ this is the key precondition for CVE-2026-23918 to be exploitable. No exploit payloads are sent.
### HTTP/2 verification (ALPN)
The script offers `h2` and `http/1.1` in the TLS handshake's ALPN extension (RFC 7301). The server's choice is the standard, unambiguous answer to "is HTTP/2 enabled?" โ used by every modern browser and curl. It does not trigger the vulnerability or any unusual behavior.
The risk verdict reflects this:
- Version 2.4.66 **+ HTTP/2 confirmed via ALPN** โ **VULNERABLE** (RCE vector open)
- Version 2.4.66 **+ HTTP/2 not negotiated** โ **AT_RISK** (still unpatched; other low/moderate CVEs apply, but the High-severity RCE vector is closed)
- ALPN test could not be performed โ conservative; assume exposed
- Version โฅ 2.4.67 โ **SAFE**
### Usage
```bash
# Single target
python3 apache_passive_audit.py -t https://web.example.com
# Multiple targets
python3 apache_passive_audit.py -t https://a.example.com -t https://b.example.com
# Targets file, parallel, CSV + JSON output
python3 apache_passive_audit.py -f targets.txt -w 20 -o report.csv --json report.json
# CI / log-friendly (no colors)
python3 apache_passive_audit.py -f targets.txt --no-color
```
`targets.txt` format (one target per line, `#` for comments):
```
https://www.example.com
intranet.example.local:8443
# old staging box
http://10.0.5.12
```
### Options
| Flag | Description |
| --- | --- |
| `-t, --target` | Single target (may be repeated) |
| `-f, --file` | Targets list file |
| `-o, --csv` | CSV report output |
| `--json` | JSON report output |
| `--timeout` | Request timeout in seconds (default 10) |
| `-w, --workers` | Parallel worker threads (default 10) |
| `--no-color` | Disable colored output |
### Exit codes (CI/CD friendly)
| Code | Meaning |
| --- | --- |
| 0 | All targets safe |
| 1 | At least one target `UNKNOWN` or `ERROR` |
| 2 | At least one target `VULNERABLE` or `AT_RISK` |
### Risk levels
| Level | Meaning |
| --- | --- |
| `VULNERABLE` | Version matches an advisory CVE range AND its precondition is met (e.g. HTTP/2 enabled) |
| `AT_RISK` | Unpatched version but the High-severity precondition is NOT met; other CVEs still apply |
| `SAFE` | Version โฅ 2.4.67 |
| `UNKNOWN` | Banner hidden (`ServerTokens Prod`) or masked by reverse proxy/WAF โ verify with the local audit script |
| `NOT_APACHE` | Not Apache (nginx, IIS, etc.) |
| `ERROR` | Connection error |
### Limitations
- Servers with `ServerTokens Prod` or `Minimal` hide the version โ the script honestly returns `UNKNOWN`. Use the local audit to confirm.
- An Apache instance behind a reverse proxy (Cloudflare, F5, nginx, etc.) may not expose its version at the edge.
- ALPN HTTP/2 detection is meaningful only for HTTPS targets. HTTP/2 cleartext (h2c) is rare in practice and not tested.
---
## 2. Local Audit โ `apache_local_audit.py`
Runs on the target host (or via SSH) and inspects the Apache binary, version, loaded modules, and HTTP/2 configuration. It also evaluates **exploitability preconditions**: e.g. if the version is 2.4.66 but HTTP/2 is disabled, the risk for CVE-2026-23918 is downgraded accordingly.
### Usage
```bash
sudo python3 apache_local_audit.py
# JSON report (for centralized inventory)
sudo python3 apache_local_audit.py --json /var/log/apache_audit_$(hostname).json
# Custom binary path
sudo python3 apache_local_audit.py --binary /opt/apache/bin/httpd
```
### Detection capabilities
- `httpd -v` / `apache2 -v` โ version
- `httpd -V` โ build info, `HTTPD_ROOT`, `SERVER_CONFIG_FILE`
- `apache2ctl -M` or `httpd -M` โ loaded modules
- `dpkg-query` / `rpm -q` โ package version
- Main configuration plus all files pulled in via `Include`/`IncludeOptional` (including Debian's `sites-enabled/`, `mods-enabled/`) โ `Protocols` directive (h2 / h2c / http/1.1)
### Options
| Flag | Description |
| --- | --- |
| `--binary` | Apache binary path (override auto-detect) |
| `--json` | JSON report output |
| `--no-color` | Disable colored output |
### Exit codes
| Code | Meaning |
| --- | --- |
| 0 | `SAFE` |
| 1 | `PATCH_NEEDED` or `UNKNOWN` |
| 2 | `VULNERABLE` or `AT_RISK` |
### Risk levels
| Level | Meaning |
| --- | --- |
| `VULNERABLE` | Unpatched version + High-severity CVE preconditions met (e.g. HTTP/2 enabled) |
| `AT_RISK` | Unpatched version + at least one CVE precondition met |
| `PATCH_NEEDED` | Unpatched version but no relevant module/protocol enabled โ patch anyway |
| `SAFE` | Version โฅ 2.4.67 |
| `UNKNOWN` | Version could not be detected |
### Privileges
`sudo`/`root` is recommended for full configuration reads. Without it, some files in `sites-enabled/`, `mods-enabled/`, or `/etc/httpd/conf.d/` may be unreadable.
---
## Running across an inventory
To run the local audit on multiple hosts and collect reports centrally, an Ansible ad-hoc example:
```bash
ansible all -i inventory.ini -b -m script \
-a "apache_local_audit.py --json /tmp/apache_audit.json --no-color"
ansible all -i inventory.ini -b -m fetch \
-a "src=/tmp/apache_audit.json dest=./reports/ flat=no"
```
Collected JSON files can be merged with `jq` or a small Python script.
---
## Recommended Mitigations
For CVE-2026-23918 (until patched):
1. **Upgrade Apache HTTP Server to 2.4.67 or later** โ the only permanent fix.
2. As an interim measure, **disable HTTP/2**: remove `h2` and `h2c` from the `Protocols` directive in your configuration, or `sudo a2dismod http2` on Debian/Ubuntu, then reload the service.
3. Unload `mod_dav_lock` if not in use (CVE-2026-29169).
4. Audit users / virtual hosts with `.htaccess` write access (CVE-2026-24072).
Official advisory:
---
## Contributing
Pull requests are welcome. When adding a new CVE, please:
- Add an entry to `CVE_TABLE` with the affected version range and `match` lambda.
- For the local script, define the appropriate `needs` field for precondition checks (loaded module, enabled protocol, etc.).
- Update the README table.
- Maintain Python 3.6 compatibility: avoid f-strings, `from __future__ import annotations`, PEP 585 generics (`list[int]`), `subprocess.run(capture_output=True)`, and `@dataclass`.
## Maintainer
[**SiberSAN**](https://github.com/sibersan)
## License
[MIT](LICENSE) ยฉ 2026 SiberSAN
## Disclaimer
This software is provided "as is", without warranty of any kind. Validate in a test environment before production use. The user assumes all legal responsibility for any use against unauthorized systems.