{"id":"DEBIAN-CVE-2026-23918","details":"Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.  This issue affects Apache HTTP Server: 2.4.66.  Users are recommended to upgrade to version 2.4.67, which fixes the issue.","modified":"2026-05-06T19:00:10.738962Z","published":"2026-05-04T15:16:03.583Z","upstream":["CVE-2026-23918"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2026-23918"}],"affected":[{"package":{"name":"apache2","ecosystem":"Debian:12","purl":"pkg:deb/debian/apache2?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.67-1~deb12u2"}]}],"versions":["2.4.57-2","2.4.57-3","2.4.58-1","2.4.59-1","2.4.59-1~deb10u1","2.4.59-1~deb11u1","2.4.59-1~deb12u1","2.4.59-2","2.4.60-1","2.4.61-1","2.4.61-1~deb11u1","2.4.61-1~deb12u1","2.4.62-1","2.4.62-1~deb11u1","2.4.62-1~deb11u2","2.4.62-1~deb12u1","2.4.62-1~deb12u2","2.4.62-2","2.4.62-3","2.4.62-4","2.4.62-5","2.4.62-6","2.4.63-1","2.4.64-1","2.4.65-1","2.4.65-1~deb11u1","2.4.65-1~deb12u1","2.4.65-2","2.4.65-3","2.4.66-1","2.4.66-1~deb11u1","2.4.66-1~deb12u1","2.4.66-1~deb12u2","2.4.66-1~deb13u1","2.4.66-1~deb13u2","2.4.66-2","2.4.66-3","2.4.66-4","2.4.66-5","2.4.66-6","2.4.66-7","2.4.66-8","2.4.67-1~deb12u1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-23918.json"}},{"package":{"name":"apache2","ecosystem":"Debian:13","purl":"pkg:deb/debian/apache2?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.66-1~deb13u2"}]}],"versions":["2.4.65-2","2.4.65-3","2.4.66-1~deb11u1","2.4.66-1~deb12u1","2.4.66-1~deb12u2","2.4.66-1~deb13u1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-23918.json"}},{"package":{"name":"apache2","ecosystem":"Debian:14","purl":"pkg:deb/debian/apache2?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.66-5"}]}],"versions":["2.4.65-2","2.4.65-3","2.4.66-1","2.4.66-1~deb11u1","2.4.66-1~deb12u1","2.4.66-1~deb12u2","2.4.66-1~deb13u1","2.4.66-1~deb13u2","2.4.66-2","2.4.66-3","2.4.66-4"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-23918.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}