Apache HTTP Server 2.4.67 fixes multiple vulnerabilities, but new issues continue to appear
Posted: Tue May 05, 2026 2:03 am
Apache HTTP Server 2.4.67 fixes several security issues in Apache 2.4.66 and earlier. The most serious issue is CVE-2026-23918, a HTTP/2 double-free vulnerability with possible remote code execution.
Apache has released Apache HTTP Server 2.4.67 as an important security update. The update fixes multiple vulnerabilities affecting Apache 2.4.66 and earlier versions.
The most critical issue in this update is CVE-2026-23918. It affects Apache’s HTTP/2 handling and is described as a double-free vulnerability with possible remote code execution. This is especially important for public HTTPS servers where HTTP/2 is enabled.
Other vulnerabilities affect modules such as mod_proxy_ajp, mod_auth_digest, mod_authn_socache, mod_dav_lock, mod_md and mod_rewrite. Depending on the server configuration, the impact may include denial of service, authentication bypass, privilege issues, memory disclosure or crashes.
Affected software:
Apache has released Apache HTTP Server 2.4.67 as an important security update. The update fixes multiple vulnerabilities affecting Apache 2.4.66 and earlier versions.
The most critical issue in this update is CVE-2026-23918. It affects Apache’s HTTP/2 handling and is described as a double-free vulnerability with possible remote code execution. This is especially important for public HTTPS servers where HTTP/2 is enabled.
Other vulnerabilities affect modules such as mod_proxy_ajp, mod_auth_digest, mod_authn_socache, mod_dav_lock, mod_md and mod_rewrite. Depending on the server configuration, the impact may include denial of service, authentication bypass, privilege issues, memory disclosure or crashes.
Affected software:
- Apache HTTP Server 2.4.66 and earlier
- Apache