Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Multiple vulnerabilities in Apache HTTP Server can lead to Remote Code Execution, Patch Immediately!
Image
Gepubliceerd : 06/05/2026
- Last update: 06/05/2026
- Affected software:
→ Apache HTTP Server- Type:
→ CWE-415: Double Free
→ CWE-269: Improper Privilege Management- CVE/CVSS
→ CVE-2026-23918: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2026-24072: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)- Several lower severity vulnerabilities were also covered in the same patch:
CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-33006, CVE-2026-33007, CVE-2026-33523, CVE-2026-33857, CVE-2026-34032, CVE-2026-34059
Sources
https://nvd.nist.gov/vuln/detail/CVE-2026-23918
https://nvd.nist.gov/vuln/detail/CVE-2026-24072
Risks
The Apache Software Foundation released an advisory regarding multiple vulnerabilities affecting the Apache HTTP Server. The most critical flaw, CVE-2026-23918, is a double-free vulnerability in the HTTP/2 protocol implementation.
The significant widespread use of Apache HTTP Server across numerous web applications makes this an attractive target for threat actors. Failure to apply vendor-supplied patches makes the system a high-value target, potentially resulting in full system compromise, unauthorized access to restricted files, or denial of service. The impact of exploiting these vulnerabilities on the CIA triad (Confidentiality, Integrity, and Availability) is high.
Description
CVE-2026-23918 (CVSS 8.8, CWE-415 Double Free):
This vulnerability is a double-free flaw located within the HTTP/2 protocol implementation (http2) of the Apache HTTP Server. It triggers upon an early reset of a connection. An attacker can exploit this weakness by crafting specific HTTP/2 requests that force the server to free the same memory block twice. If successfully exploited, this can lead to severe memory corruption, allowing an unauthenticated remote attacker to achieve Remote Code Execution (RCE) on the host or cause a Denial of Service (DoS) by crashing the server process.
CVE-2026-24072 (CVSS 8.8, CWE-269 Improper Privilege Management):
This vulnerability affects the mod_rewrite module and allows for a local Elevation of Privileges. In server environments where the use of .htaccess files is permitted (AllowOverride), a local attacker or a compromised user account with authoring privileges can exploit this flaw using specially crafted ap_expr expressions. Successful exploitation enables the attacker to bypass intended directory restrictions and access controls, allowing them to read sensitive system files with the elevated privileges of the httpd process.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. System administrators should immediately upgrade all Apache HTTP Server installations to version 2.4.67 or later.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.