"CVE-2026-23918 is a double-free and possible RCE bug in the HTTP/2 protocol handling. By triggering an early reset, an attacker could cause a denial-of-service condition and potentially execute arbitrary code."
"CVE-2026-28780 is a heap buffer overflow issue that could allow remote attackers to send crafted AJP messages to cause a DoS condition and execute code."
"The update also addresses an improper neutralization of CRLF sequences issue, tracked as CVE-2026-33523, which allows attackers to manipulate HTTP responses."
"Following the upgrade to a patched release, Apache says organizations need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance."
Apache released HTTP Server 2.4.67, fixing 11 vulnerabilities, including critical issues that could lead to remote code execution and denial-of-service conditions. Key vulnerabilities include CVE-2026-23918, a double-free bug in HTTP/2, and CVE-2026-28780, a heap buffer overflow. Other defects could lead to denial-of-service or information disclosure. Additionally, MINA 2.2.7 and 2.1.12 were released to address two critical vulnerabilities related to insecure deserialization and allowlist bypass. Organizations must ensure proper configuration after upgrading to mitigate risks.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]