Technology
Apache HTTP/2 Just Got an RCE Patch. Default Configs Are the Target.
CVE-2026-23918 is a double-free in Apache 2.4.66's mod_http2. Two frames crash the worker. On Debian and the official Docker image, the same bug becomes a viable RCE path. The fix shipped May 4.