Apache HTTP/2 Double-Free (CVE-2026-23918): What You Need to Do Before Friday
A memory-corruption bug in Apache HTTP Server’s HTTP/2 implementation was publicly disclosed this week, and the details are ugly enough that you should stop reading this sentence and go check your Apache version right now. Done? Good. Let’s talk about what’s actually going on. The Bug CVE-2026-23918 is a double-free vulnerability in mod_http2, specifically in the stream cleanup path of Apache httpd 2.4.66. A double-free happens when code tries to release the same chunk of memory twice — a classic mistake that corrupts internal allocator state and typically leads to crashes, and sometimes worse. ...