Apache HTTP Server has received a critical security update with the release of version 2.4.67. The update patches five vulnerabilities, including a high-severity issue that could allow Remote Code Execution (RCE). The release went live on May 4, 2026, and anyone running version 2.4.66 or older should upgrade as soon as possible.
The most serious vulnerability is tracked as CVE-2026-23918. It carries a CVSS score of 8.8 and affects the HTTP/2 implementation in version 2.4.66. This is a double-free memory corruption bug, which can be triggered during an early stream reset process.
This bug allows memory to be released twice, which can corrupt how the server manages data in memory. Attackers can exploit this behavior to manipulate execution flow and potentially run malicious code on the server. Since Apache powers a massive portion of the web, this is not just a theoretical issue. It has a real-world impact if left unpatched.
The vulnerability was reported in December 2025 by security researchers from striga.ai and isec.pl. A fix was prepared quickly, but it is only now publicly available in version 2.4.67.
Another important issue fixed in this update is CVE-2026-24072. This one targets the mod_rewrite module and allows privilege escalation through the .htaccess file manipulation. While rated as moderate, this can still be risky in shared hosting environments where multiple users have access to configuration files.
The update also addresses three lower-severity vulnerabilities. These include a heap buffer overflow in mod_proxy_ajp, a resource exhaustion issue in mod_md, and a NULL pointer dereference in mod_dav_lock that can crash the server.
The RCE flaw is the biggest concern here. Even though it only affects version 2.4.66, that is enough to create a serious attack surface. Many production servers do not update immediately, and that delay is exactly what attackers look for.
HTTP/2-related bugs are becoming more common as the protocol adds complexity to server behavior. Performance improvements often come with edge cases, and this looks like one of them. If your server does not strictly need HTTP/2, temporarily disabling it is a reasonable short-term step until you complete the upgrade.
The mod_rewrite issue is also worth noting. A lot of developers rely heavily on rewrite rules without fully understanding how expressions are evaluated. This vulnerability is a reminder that even common modules can introduce security risks if not properly controlled.
Apache has provided clear mitigation steps. The best solution is to upgrade to version 2.4.67. If that is not immediately possible, you should disable HTTP/2, review .htaccess permissions, and remove unused modules like mod_dav_lock.
The patch is already available, and the affected version range is limited. However, the scale of Apache’s usage means even a small delay in patching could expose a large number of servers.
