Vulnerability-Lookup

RHSA-2026:13938

Vulnerability from csaf_redhat - Published: 2026-05-06 08:55 - Updated: 2026-05-08 09:04

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Important

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs: httpd: * httpd-2.4.67-0.1.hum1 (aarch64, x86_64) * httpd-core-2.4.67-0.1.hum1 (aarch64, x86_64) * httpd-devel-2.4.67-0.1.hum1 (aarch64, x86_64) * httpd-filesystem-2.4.67-0.1.hum1 (noarch) * httpd-manual-2.4.67-0.1.hum1 (noarch) * httpd-tools-2.4.67-0.1.hum1 (aarch64, x86_64) * mod_ldap-2.4.67-0.1.hum1 (aarch64, x86_64) * mod_lua-2.4.67-0.1.hum1 (aarch64, x86_64) * mod_proxy_html-2.4.67-0.1.hum1 (aarch64, x86_64) * mod_session-2.4.67-0.1.hum1 (aarch64, x86_64) * mod_ssl-2.4.67-0.1.hum1 (aarch64, x86_64) * httpd-2.4.67-0.1.hum1.src (src)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-23918

A flaw was found in Apache HTTP Server. This vulnerability, related to a double free error within the HTTP/2 protocol implementation, could potentially allow a remote attacker to execute arbitrary code. Successful exploitation could lead to a complete compromise of the affected system.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-1341 - Multiple Releases of Same Resource or Handle

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://images.redhat.com/ https://access.redhat.com/errata/RHSA-2026:13938

Workaround To mitigate this issue, disable the `mod_http2` module in your Apache HTTP Server configuration. This can be achieved by commenting out or removing the `LoadModule http2_module modules/mod_http2.so` line in the Apache configuration file (e.g., `/etc/httpd/conf.modules.d/00-base.conf` or a similar configuration file). After modifying the configuration, restart the httpd service for the changes to take effect. This action will impact services relying on HTTP/2 functionality.

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:13938	self
	https://images.redhat.com/	external
	https://access.redhat.com/security/cve/CVE-2026-23918	external
	https://access.redhat.com/security/updates/classi…	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2026-23918	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2465304	external
	https://www.cve.org/CVERecord?id=CVE-2026-23918	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-23918	external
	https://httpd.apache.org/security/vulnerabilities…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\nhttpd:\n  * httpd-2.4.67-0.1.hum1 (aarch64, x86_64)\n  * httpd-core-2.4.67-0.1.hum1 (aarch64, x86_64)\n  * httpd-devel-2.4.67-0.1.hum1 (aarch64, x86_64)\n  * httpd-filesystem-2.4.67-0.1.hum1 (noarch)\n  * httpd-manual-2.4.67-0.1.hum1 (noarch)\n  * httpd-tools-2.4.67-0.1.hum1 (aarch64, x86_64)\n  * mod_ldap-2.4.67-0.1.hum1 (aarch64, x86_64)\n  * mod_lua-2.4.67-0.1.hum1 (aarch64, x86_64)\n  * mod_proxy_html-2.4.67-0.1.hum1 (aarch64, x86_64)\n  * mod_session-2.4.67-0.1.hum1 (aarch64, x86_64)\n  * mod_ssl-2.4.67-0.1.hum1 (aarch64, x86_64)\n  * httpd-2.4.67-0.1.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:13938",
        "url": "https://access.redhat.com/errata/RHSA-2026:13938"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-23918",
        "url": "https://access.redhat.com/security/cve/CVE-2026-23918"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_13938.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-05-08T09:04:17+00:00",
      "generator": {
        "date": "2026-05-08T09:04:17+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2026:13938",
      "initial_release_date": "2026-05-06T08:55:25+00:00",
      "revision_history": [
        {
          "date": "2026-05-06T08:55:25+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-07T03:12:10+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-08T09:04:17+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "httpd-main@aarch64",
                "product": {
                  "name": "httpd-main@aarch64",
                  "product_id": "httpd-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd@2.4.67-0.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "httpd-main@src",
                "product": {
                  "name": "httpd-main@src",
                  "product_id": "httpd-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd@2.4.67-0.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "httpd-main@x86_64",
                "product": {
                  "name": "httpd-main@x86_64",
                  "product_id": "httpd-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd@2.4.67-0.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "httpd-main@noarch",
                "product": {
                  "name": "httpd-main@noarch",
                  "product_id": "httpd-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd-filesystem@2.4.67-0.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:httpd-main@aarch64"
        },
        "product_reference": "httpd-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:httpd-main@noarch"
        },
        "product_reference": "httpd-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:httpd-main@src"
        },
        "product_reference": "httpd-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:httpd-main@x86_64"
        },
        "product_reference": "httpd-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-23918",
      "cwe": {
        "id": "CWE-1341",
        "name": "Multiple Releases of Same Resource or Handle"
      },
      "discovery_date": "2026-05-04T15:01:41.066212+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2465304"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache HTTP Server. This vulnerability, related to a double free error within the HTTP/2 protocol implementation, could potentially allow a remote attacker to execute arbitrary code. Successful exploitation could lead to a complete compromise of the affected system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Apache HTTP Server: Apache HTTP Server: Remote Code Execution via Double Free in HTTP/2 Protocol",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue marked as Important rather than Moderate because it involves a memory safety violation (double free) in the HTTP/2 request handling path, which is directly exposed to untrusted network input. A double free condition can corrupt the heap allocator\u2019s internal metadata, enabling attackers to manipulate memory layout and potentially achieve arbitrary code execution (RCE) under favorable conditions. In this case, the flaw is triggered during an early stream reset in HTTP/2, meaning it can be exercised pre-authentication by a remote client without requiring complex application-level interaction. Given that Apache HTTP Server is widely deployed in internet-facing environments, even a low-probability RCE path significantly elevates risk.\n\n\n\nAdditionally, the vulnerability exists in a core protocol module rather than an optional edge feature, increasing the likelihood of exposure. It is also important to note that this vulnerability specifically affects Apache HTTP Server version 2.4.66 only, and our mod_http2 packages are not affected as they are built against non-vulnerable httpd versions.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:httpd-main@aarch64",
          "Red Hat Hardened Images:httpd-main@noarch",
          "Red Hat Hardened Images:httpd-main@src",
          "Red Hat Hardened Images:httpd-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-23918"
        },
        {
          "category": "external",
          "summary": "RHBZ#2465304",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2465304"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-23918",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-23918"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-23918",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23918"
        },
        {
          "category": "external",
          "summary": "https://httpd.apache.org/security/vulnerabilities_24.html",
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "release_date": "2026-05-04T14:44:28.513000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-06T08:55:25+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:httpd-main@aarch64",
            "Red Hat Hardened Images:httpd-main@noarch",
            "Red Hat Hardened Images:httpd-main@src",
            "Red Hat Hardened Images:httpd-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:13938"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, disable the `mod_http2` module in your Apache HTTP Server configuration. This can be achieved by commenting out or removing the `LoadModule http2_module modules/mod_http2.so` line in the Apache configuration file (e.g., `/etc/httpd/conf.modules.d/00-base.conf` or a similar configuration file). After modifying the configuration, restart the httpd service for the changes to take effect. This action will impact services relying on HTTP/2 functionality.",
          "product_ids": [
            "Red Hat Hardened Images:httpd-main@aarch64",
            "Red Hat Hardened Images:httpd-main@noarch",
            "Red Hat Hardened Images:httpd-main@src",
            "Red Hat Hardened Images:httpd-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:httpd-main@aarch64",
            "Red Hat Hardened Images:httpd-main@noarch",
            "Red Hat Hardened Images:httpd-main@src",
            "Red Hat Hardened Images:httpd-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Apache HTTP Server: Apache HTTP Server: Remote Code Execution via Double Free in HTTP/2 Protocol"
    }
  ]
}

CVE-2026-23918 (GCVE-0-2026-23918)

Vulnerability from cvelistv5 – Published: 2026-05-04 14:44 – Updated: 2026-05-05 03:56

Title

Apache HTTP Server: http2: double free and possible RCE on early reset

Summary

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Severity ?

No CVSS data available.

CWE

CWE-415 - Double Free

Assigner

apache

References

URL

Tags

https://httpd.apache.org/security/vulnerabilities…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Affected: 2.4.66 (semver)

Credits

Bartlomiej Dmitruk, striga.ai Stanislaw Strzalkowski, isec.pl

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-23918",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-04T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-05T03:56:10.684Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-04T17:32:35.852Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/04/19"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "2.4.66",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bartlomiej Dmitruk, striga.ai"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Stanislaw Strzalkowski, isec.pl"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDouble Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: 2.4.66.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.4.67, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.\n\nThis issue affects Apache HTTP Server: 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-415",
              "description": "CWE-415 Double Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-04T14:44:28.513Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-10T14:02:00.000Z",
          "value": "reported in PR 69899"
        },
        {
          "lang": "en",
          "time": "2025-12-11T14:03:00.000Z",
          "value": "fixed in r1930444, r1930796"
        }
      ],
      "title": "Apache HTTP Server: http2: double free and possible RCE on early reset",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-23918",
    "datePublished": "2026-05-04T14:44:28.513Z",
    "dateReserved": "2026-01-19T13:00:21.720Z",
    "dateUpdated": "2026-05-05T03:56:10.684Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:13938

CVE-2026-23918 (GCVE-0-2026-23918)

Tags

Sightings

Nomenclature