I’m running a server with the latest AlmaLinux 9.7 with Apache installed.
CVE-2026-23918 affects Apache HTTP Server version <= 2.4.66, but 9.7 has an older version of the package.
$ httpd -version
Server version: Apache/2.4.62 (AlmaLinux)
Server built: Dec 12 2025 00:00:00
Will the fix for this CVE be backported or will the Apache package be updated to version 2.4.67, which fixes the issue?
One should first check what Red Hat says about that CVE with RHEL: cve-details
“Not affected”
If httpd in AlmaLinux 9 is sufficiently compatible with httpd in RHEL 9, then it is not affected either.
Thank you for sharing that. I was not aware of the Red Hat CVE Checker.
Hello,
According to the official documentation:
Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.
So, wouldn’t it be best to comment out mod_http2?
[root@alma9 ~]# find /etc/httpd/ -type f |xargs grep “http2_module”
/etc/httpd/conf.modules.d/10-h2.conf:LoadModule http2_module modules/mod_http2.so
/etc/httpd/conf.modules.d/10-proxy_h2.conf:LoadModule proxy_http2_module modules/mod_proxy_http2.so
Thanks