Update Apache to address multiple vulnerabilities

A critical vulnerability in Apache HTTP Server version 2.4.66's HTTP/2 module can lead to unauthenticated Remote Code Execution (RCE) and Denial of Service (DoS) attacks. Users should update vulnerable versions of Apache software to version 2.4.67 or later, or apply vendor-supplied patches that address this vulnerability now.

The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE).

This vulnerability could lead to unauthenticated Remote Code Execution (RCE) and Denial of Service (DoS) attacks on affected Apache servers. Proof of concept code exists for RCE and DoS attacks.

This vulnerability is present in Apache HTTP Server 2.4.66. 

Immediately update vulnerable versions of Apache software to a non-vulnerable version, either by updating to Apache version 2.4.67 or later, or applying vendor-supplied patches that address this vulnerability now. 

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

A double-free vulnerability occurs when two calls to the same memory block are made in rapid succession, creating possible corruption in the memory management data. This can cause the program to crash (Denial of Service), or in some cases for a threat actor to send their own code resulting in Remote Code Execution (RCE).

Please contact ITS Information Assurance through the ITS Service Center.

• Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE (The Hacker News, 5-5-2026)
• Apache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCE (Security Affairs, 5-6-2026)
• Critical Apache 2.4.66 HTTP/2 Flaw Allows RCE & DoS (CVE-2026-23918) (UC Berkeley Information Security Office, 5-6-2026)