Apache patches critical HTTP/2 vulnerability after five-month delay during Iran conflict
CVE-2026-23918 sat fixed but unpublished for 145 days as US-Iran war escalated, leaving millions of servers exposed to remote code execution during peak geopolitical tension.
The Apache Software Foundation released a critical security patch on May 4 addressing CVE-2026-23918, a high-severity HTTP/2 vulnerability enabling remote code execution and denial-of-service attacks—but the fix was committed five months earlier, in December 2025, and held back through the outbreak and escalation of the US-Israel-Iran war.
The vulnerability affects Apache HTTP Server 2.4.66 exclusively, with a CVSS score of 8.8. Researchers privately reported the flaw on December 10, 2025. Apache committed a fix the next day. The public patch shipped 145 days later—on May 4, 2026—after the February 28 start of active hostilities in the Strait of Hormuz, Iran’s closure of the waterway that handles 20% of global petroleum flows, and a fragile ceasefire now under renewed strain as Iranian missile and drone attacks resumed against the UAE yesterday.
Apache powers roughly 23.7% of all websites with known web servers, translating to millions of installations running the vulnerable 2.4.66 release across enterprise, government, and cloud infrastructure. The timing creates a narrow window for state actors to exploit unpatched systems during a period of maximum geopolitical stress and cyber-kinetic conflict overlap.
the exploit mechanics
CVE-2026-23918 is a double-free memory corruption bug in the mod_http2 module. An attacker sends an HTTP/2 HEADERS frame followed immediately by a RST_STREAM frame before the stream registers in Apache’s internal scoreboard. This triggers cleanup of memory that was never properly allocated, corrupting the heap.
Denial-of-service is trivial on any default deployment running mod_http2 with a multi-threaded MPM, according to The Hacker News. Bartlomiej Dmitruk, co-founder of Striga.ai and one of the researchers who discovered the flaw, described the attack surface:
“Denial of service, which is trivial: one TCP connection, two frames, no authentication, no special headers, no specific URL, and the worker crashes.”
— Bartlomiej Dmitruk, Co-founder, Striga.ai
Remote code execution requires the APR mmap allocator, which is the default on Debian-based systems and the official Apache Docker image. Researchers built a working proof-of-concept on x86_64 using a heap spray technique via mmap to gain control of the corrupted memory. The exploit writes to Apache’s scoreboard—a shared memory structure tracking worker processes—allowing arbitrary code execution in the context of the web server.
As of today, The CyberSec Guru reports no confirmed wild exploitation. But security researchers estimate public proof-of-concept code will circulate within two to three weeks of the May 4 disclosure, shrinking the window for administrators to patch before automated scanning begins.
the timing problem
The five-month gap between private fix and public release is unusual even by disclosure-embargo standards. Apache received the report on December 10, 2025, and committed a fix within 24 hours. Version 2.4.67—containing the patch—did not ship until May 4, 2026.
That 145-day window coincided with the most volatile geopolitical period in decades. On February 28, the US and Israel launched Operation Epic Fury against Iran, killing Supreme Leader Ali Khamenei and triggering Iran’s closure of the Strait of Hormuz. The closure disrupted 20% of global petroleum and liquefied natural gas flows, dropping vessel traffic through the Strait to roughly 5% of pre-conflict levels—from 3,000 vessels per month to around 150.
The April 8 ceasefire has not held. As of yesterday, Al Jazeera reported renewed Iranian missile and drone attacks against the UAE for the second consecutive day. Ebrahim Azizi, head of the Iranian parliament’s National Security Commission, stated that “any American interference in the new maritime regime of the Strait of Hormuz will be considered a violation of the ceasefire,” per CNN.
This created a scenario where millions of servers running Apache 2.4.66 remained vulnerable to remote code execution while state actors on multiple sides possessed both capability and motive to target critical infrastructure. The 2026 Iran war coupled cyber operations with kinetic strikes from the outset—Iran experienced a 60-hour internet blackout during the February offensive, and both sides deployed cyber capabilities against logistics, communications, and energy infrastructure.
supply chain exposure
The vulnerability does not exist in isolation. Systems administrators patching Apache must also account for dependencies, containerised deployments, and legacy infrastructure that cannot be updated immediately.
- Default Debian configurations use mmap allocator, making RCE trivial
- Official Apache Docker images ship with vulnerable settings out of the box
- Cloud providers running 2.4.66 in shared hosting expose multiple customers per exploit
- Embedded systems and appliances with Apache may lack update mechanisms entirely
SaaS providers, managed hosting platforms, and government contractors built services on top of 2.4.66 between December 2025 and May 2026—unknowingly deploying the vulnerability into production during the exact period when adversaries had maximum incentive to map and exploit it. The five-month disclosure gap created downstream supply-chain risk that will persist for months as patches propagate through vendor channels, enterprise approval processes, and compliance workflows.
For organisations unable to patch immediately, Apache recommends disabling HTTP/2 by removing or commenting out the LoadModule directive for mod_http2. This eliminates the attack vector but breaks functionality for clients relying on HTTP/2 performance improvements—a non-trivial trade-off for high-traffic services.
what to watch
The next two weeks will determine whether CVE-2026-23918 remains a theoretical risk or becomes an active weapon. Public proof-of-concept code typically emerges 14-21 days after disclosure of high-severity vulnerabilities. Once scanning begins, unpatched 2.4.66 installations will be trivial to identify and exploit.
Monitor for scanning activity targeting TCP/443 and TCP/80 with HTTP/2 HEADERS+RST_STREAM patterns. Track geopolitical escalation around Strait of Hormuz enforcement—renewed hostilities increase likelihood of infrastructure targeting. Assess whether cloud providers and CDNs completed patches within the 48-72 hour window; downstream customers inherit risk from unpatched platforms.
Geopolitical tensions remain elevated. The ceasefire is fragile, and Iranian attacks on the UAE signal willingness to escalate. If hostilities resume, the combination of unpatched web infrastructure and state-actor capabilities creates conditions for significant disruption to logistics, communications, and financial systems dependent on vulnerable Apache deployments.
Administrators should prioritise patching Apache 2.4.66 to 2.4.67 within 72 hours or disable HTTP/2 entirely. Organisations with containerised deployments must rebuild images from updated base layers. Legacy systems without clear upgrade paths represent the highest residual risk—exactly the targets adversaries will identify first once automated exploitation begins.