Apache fixed several flaws in HTTP Server, including CVE-2026-23918 (CVSS score of 8.8), a double-free bug in HTTP/2 that could allow remote code execution.

The Apache Software Foundation has released updates to fix multiple vulnerabilities in its HTTP Server, including CVE-2026-23918 (CVSS score of 8.8). The issue involves a “double free” error in HTTP/2 handling that could potentially lead to remote code execution.

Researchers Bartlomiej Dmitruk, from striga.ai, and Stanislaw Strzalkowski from isec.pl discovered the vulnerability.

“Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.” reads the advisory.

The vulnerability impacts version 2.4.66 and is resolved in version 2.4.67.

According to TheHackerNews, CVE-2026-23918 is a double-free flaw in Apache httpd 2.4.66’s mod_http2, triggered by a crafted HTTP/2 sequence that causes the same stream to be cleaned up twice, leading to memory corruption. This can easily result in denial of service, crashing worker processes with minimal effort. In certain setups, especially those using APR with mmap (common on Debian systems and official Docker images), it may also be exploited for remote code execution.

The attack requires specific conditions and some additional steps, but a working proof of concept exists. Notably, MPM prefork is not affected, though the widespread use of HTTP/2 increases exposure.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The Apache MINA project has issued urgent security updates to address two critical vulnerabilities that could allow attackers to execute arbitrary code on affected systems.

Developers relying on this network application framework are strongly urged to update their software immediately to protect their environments from potential exploitation.

Developers widely use Apache MINA to create high-performance, scalable network applications.

Because it handles active data streams between clients and servers, vulnerabilities in its processing of incoming data can have severe security implications for enterprise networks.

Apache MINA Vulnerabilities

Interestingly, the Apache MINA team actually created fixes for these specific vulnerabilities for a previous release.

However, due to a repository management mistake, the patched code never successfully merged into two specific release branches.

The project maintainers caught the error and have now officially pushed the fixes to the public.

The project initially announced the release of version 2.0.12 on their developer mailing list.

However, project member Emmanuel Lécharny quickly issued a correction confirming the actual patched versions are 2.2.7 and 2.1.12.

The security update resolves two specific Common Vulnerabilities and Exposures (CVEs) related to how Apache MINA handles incoming, untrusted data. Both vulnerabilities stem from insecure deserialization processes.

Deserialization is the process by which a program takes data formatted for network transfer (such as a stream of bytes) and rebuilds it into a functional object in the computer’s memory.

When this process lacks proper security checks, hackers can slip malicious code into the data stream, tricking the server into executing it.

The two fixed vulnerabilities include:

• CVE-2026-42778: This flaw involves the deserialization of untrusted data (CWE-502), occurring when the application accepts data from an unknown source without validating it before reconstruction.
  
• CVE-2026-42779: This is a severe Remote Code Execution (RCE) vulnerability found in the AbstractIoBuffer.resolveClass() method.

A logic flaw causes a specific branch to skip the necessary acceptMatchers filter, leading to full object deserialization.

Mitigation Steps

These vulnerabilities do not affect every single Apache MINA deployment.

The risk is isolated to applications that specifically utilize the AbstractIoBuffer.getObject() method.

If your application uses this method to deserialize Java classes sent by a client over the network, your system is completely vulnerable to these remote code execution attacks.

Administrators and developers should immediately review their codebases to determine whether they use the affected method.

To secure your infrastructure, upgrade your Apache MINA deployments to versions 2.2.7 or 2.1.12.

The official downloads and patch notes are currently available directly on the Apache MINA project website.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Apache MINA Vulnerabilities Enables Remote Code Execution Attacks appeared first on Cyber Security News.

More than 6,000 internet-exposed Apache ActiveMQ instances are still vulnerable to CVE-2026-34197. This newly tracked security flaw has now been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog.

The exposure data comes from The Shadowserver Foundation, which said it has started daily internet scans for the flaw.

In an update published on April 20, Shadowserver reported that 6,364 IP addresses were vulnerable on April 19, 2026, based on version checks.

The organization also said that affected IP data is being shared through its Accessible ActiveMQ reporting service to help defenders identify exposed systems.

Apache ActiveMQ Instances Exposed

CVE-2026-34197 is an improper input validation vulnerability in Apache ActiveMQ. Input validation flaws occur when an application fails to properly check data sent to it, allowing attackers to send unexpected or malicious input.

Depending on how the issue is triggered, this type of weakness can enable unauthorized actions, service abuse, or a deeper compromise of the targeted server.

The fact that CISA added the bug to its KEV catalog makes the issue more urgent. Vulnerabilities listed in KEV are considered to have evidence of real-world exploitation, meaning organizations should treat patching and exposure reduction as a high priority.

For federal agencies, KEV listing usually comes with a deadline to secure affected systems. For private organizations, it serves as a strong warning that attackers may already be targeting unpatched servers.

Apache ActiveMQ is widely used as a message broker in enterprise and application environments, making exposed systems valuable targets.

If attackers gain a foothold in a messaging server, they may be able to disrupt internal communications, move deeper into connected environments, or abuse trusted business workflows.

We are now scanning daily for CVE-2026-34197 (Apache ActiveMQ Improper Input Validation Vulnerability) which has recently been added to @CISACyber KEV.

6364 IPs seen vulnerable on 2026-04-19 based on a version check.

Dashboard Tree Map view:https://t.co/AyJ5hVSYAC pic.twitter.com/Br79Efgj7a

— The Shadowserver Foundation (@Shadowserver) April 20, 2026

Shadowserver has published a public dashboard that allows users to track the number of exposed ActiveMQ systems tagged for CVE-2026-34197.

It also pointed defenders to Apache’s official security advisory, as well as public references from CISA, the National Vulnerability Database, and technical background material shared by Horizon3.ai.

Organizations running Apache ActiveMQ should immediately identify exposed instances, verify installed versions, apply vendor fixes, and restrict internet access where possible.

Security teams should also review logs for unusual activity, monitor for exploitation attempts, and place external-facing message broker services behind access controls or VPNs if they are not meant to be public.

With thousands of systems still reachable from the internet, CVE-2026-34197 is quickly becoming a high-visibility risk for defenders worldwide.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post 6000+ Apache ActiveMQ Instances Vulnerable to CVE-2026-34197 Exposed Online appeared first on Cyber Security News.

The Apache Software Foundation has released emergency security updates to address two severe vulnerabilities in the Apache Traffic Server (ATS).

ATS operates as a high-performance web proxy cache that improves network efficiency and handles massive volumes of enterprise web traffic.

These newly discovered flaws stem from how the server processes HTTP requests with message bodies.

If left unpatched, remote attackers can exploit these weaknesses to trigger Denial-of-Service (DoS) conditions or execute complex HTTP request smuggling attacks against enterprise networks.

Apache Traffic Server Vulnerabilities

The most disruptive flaw is tracked as CVE-2025-58136. Security researcher Masakazu Kitajo discovered that a simple, legitimate HTTP POST request can cause the entire ATS application to crash.

Because POST requests are standard methods for submitting data to a web server, this vulnerability is highly accessible to remote attackers.

When exploited, the crash results in an immediate Denial-of-Service attack, bringing down the proxy server and blocking access for all legitimate users relying on that infrastructure.

The second vulnerability, designated as CVE-2025-65114, was identified by security researcher Katsutoshi Ikenoya.

This flaw centers on how the Apache Traffic Server handles malformed chunked message bodies during data transmission. Attackers can exploit this improper handling to achieve HTTP request smuggling.

This advanced attack technique enables malicious actors to manipulate the processing of sequences of HTTP requests, bypassing security controls to poison web caches or gain unauthorized access to sensitive data on downstream servers.

These vulnerabilities impact multiple active branches of the Apache Traffic Server. According to the official security advisory, the affected software includes ATS versions 9.0.0 through 9.2.12, as well as versions 10.0.0 through 10.1.1.

Administrators managing these specific versions must take immediate action to secure their network environments against potential exploitation.

The Apache Software Foundation strongly recommends that all administrators upgrade their installations to the latest secure releases.

Users operating on the 9.x branch should update to version 9.1.13 or later. Meanwhile, organizations utilizing the 10.x branch must upgrade to version 10.1.2 or newer to completely eliminate the threat.

For teams that cannot immediately apply the software updates, a temporary workaround exists for the DoS vulnerability (CVE-2025-58136).

Administrators can stop the crash by setting the proxy.config.http.request_buffer_enabled parameter to 0. Fortunately, this is already the default value in the system configuration, meaning many servers may already be protected from the crash.

However, there is absolutely no workaround available for the request smuggling vulnerability (CVE-2025-65114). Consequently, a full software upgrade remains the only effective strategy to secure the server environment against both threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Apache Traffic Server Vulnerabilities Let Attackers Trigger DoS Attack appeared first on Cyber Security News.