Apache has released security updates for the HTTP Server, addressing several security vulnerabilities. One of the vulnerabilities, tracked as CVE-2026-23918, can result in remote code execution.
The Apache HTTP Server, colloquially known as Apache, is a free, open-source web server software that serves web content over the Internet. It runs on modern operating systems, including Linux, Unix, Microsoft Windows, and macOS.
CVE-2026-23918
Apache described the vulnerability as a double-free issue with possible remote code execution in the HTTP/2 protocol handler. Apache allocates memory to handle an incoming request. An attacker may send a specially crafted frame that will cause the server’s memory management logic to free the same memory region twice – a condition known as a double-free. That corrupts the heap and provides the attacker with a potential path to redirect how the server executes code.
CVE-2026-24072
A privilege escalation vulnerability in various modules of Apache HTTP Server allows local .htaccess authors to read files with the privileges of the httpd user.
CVE-2026-28780
A heap-based Buffer Overflow vulnerability exists in mod_proxy_ajp of the Apache HTTP Server. If mod_proxy_ajp is connected to a malicious AJP server, this AJP server can send a malicious AJP message back to mod_proxy_ajp, causing it to write 4 attacker-controlled bytes after the end of a heap-based buffer.
CVE-2026-29168
Oversized OCSP response packets can exhaust server resources, slow things down, or cause a crash.
CVE-2026-29169
A NULL pointer dereference vulnerability in mod_dav_lock in Apache HTTP Server may allow an attacker to crash the server with a malicious request.mod_dav_lock.
CVE-2026-33006
A timing attack against mod_auth_digest in the Apache HTTP Server may allow a remote attacker to bypass Digest authentication.
CVE-2026-33007
A NULL pointer dereference vulnerability in the mod_authn_socache in Apache HTTP Server may allow an unauthenticated remote user to crash a child process in a caching forward proxy configuration.
CVE-2026-33523
An HTTP response splitting vulnerability exists in multiple Apache HTTP Server modules when used with untrusted or compromised backend servers.
CVE-2026-33857
An out-of-bounds read vulnerability in mod_proxy_ajp of Apache HTTP Server.
CVE-2026-34032
An improper Null Termination and Out-of-bounds Read vulnerability exists in the Apache HTTP Server.
CVE-2026-34059
A buffer overflow vulnerability exists in the Apache HTTP Server.
Affected Versions
The vulnerabilities affect Apache HTTP Server version 2.4.66.
Mitigation
Users must upgrade to the latest version of Apache HTTP Server, 2.4.67, to remediate the vulnerabilities.
For more information on the vulnerabilities, please refer to the Apache Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QIDs 734127, 734129, 520144, and 520146 to detect vulnerable assets.
EVALUATE Vendor-Suggested Mitigation with Policy Audit (PA)
With Qualys Policy Audit’s out-of-the-box mitigation or Compensatory Controls, which reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done immediately, these security controls are not recommended by any industry standards, such as CIS and DISA-STIG.
The Qualys Policy Audit team releases these exclusive controls based on vendor-suggested mitigation and workarounds.
Mitigation refers to a setting, common configuration, or general best practice that, in its default state, can reduce the severity of vulnerability exploitation.
A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often employs workarounds to overcome hardware, programming, or communication issues. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Compliance Control IDs (CIDs) and System Defined Controls (SDC) have been published to support the evaluation of recommended mitigations:
- 16470, Status of the ‘dav_lock_module’ module present on the host, 816531
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://httpd.apache.org/security/vulnerabilities_24.html