Apache

Apache HTTP Server 2.4.68 came out on June 8, 2026 — the first point release since 2.4.67 in early May, and per the project’s own download page, it’s “recommended over all previous releases.” If you run your own LAMP stack, this is the patch to schedule this week. What’s actually in it The public CVE list on httpd.apache.org hasn’t fully caught up to the release yet, but the individual disclosures have already landed on oss-security and in distro security trackers. Three are worth knowing about specifically. ...

On June 3, 2026, researcher Quang Luong published a remote denial-of-service exploit called the HTTP/2 Bomb that can exhaust tens of gigabytes of server memory using nothing more than a home internet connection. The vulnerability was posted to oss-security the same day and affects nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora in their default HTTP/2 configurations. The CVE identifier CVE-2026-49975 was assigned to the Apache httpd variant. What the attack does The exploit chains two techniques, both of which have been individually documented for roughly a decade, in a way that no prior public research had combined against these servers. ...

A memory-corruption bug in Apache HTTP Server’s HTTP/2 implementation was publicly disclosed this week, and the details are ugly enough that you should stop reading this sentence and go check your Apache version right now. Done? Good. Let’s talk about what’s actually going on. The Bug CVE-2026-23918 is a double-free vulnerability in mod_http2, specifically in the stream cleanup path of Apache httpd 2.4.66. A double-free happens when code tries to release the same chunk of memory twice — a classic mistake that corrupts internal allocator state and typically leads to crashes, and sometimes worse. ...