Apache Patches Critical RCE Vulnerabilities in HTTP Server and MINA Framework
The Apache Software Foundation has released critical patches for the Apache HTTP Server and the Apache MINA framework to address over a dozen vulnerabilities, including several that could lead to remote code execution.
The Apache Software Foundation has released critical security updates for both the Apache HTTP Server and the Apache MINA framework. These patches address a total of 13 vulnerabilities, including several flaws capable of facilitating remote code execution (RCE) SecurityWeek.
The Apache HTTP Server update, version 2.4.67, resolves 11 distinct vulnerabilities, 10 of which impact all prior releases. Among the most severe is CVE-2026-23918, a double-free vulnerability within the HTTP/2 protocol handling that can be triggered via an early reset to cause a denial-of-service (DoS) or arbitrary code execution. Additionally, CVE-2026-28780 presents a heap buffer overflow risk, where an attacker sending crafted AJP messages could achieve similar RCE or DoS outcomes SecurityWeek.
Beyond these RCE-capable bugs, the HTTP Server update addresses several other security weaknesses. These include three vulnerabilities (CVE-2026-29168, CVE-2026-29169, and CVE-2026-33007) that result in DoS conditions, and four flaws (CVE-2026-24072, CVE-2026-33857, CVE-2026-34032, and CVE-2026-34059) that lead to information disclosure. The release also fixes CVE-2026-33523, an improper neutralization of CRLF sequences allowing HTTP response manipulation, and CVE-2026-33006, a timing side-channel vulnerability that could permit Digest authentication bypass SecurityWeek.
Simultaneously, Apache released MINA versions 2.2.7 and 2.1.12 to address two critical vulnerabilities that were previously subject to incomplete remediation. CVE-2026-42778 is an insecure deserialization flaw that allows RCE, serving as a fix for an incomplete patch for CVE-2026-41409, which itself was an incomplete fix for CVE-2024-52046. Similarly, CVE-2026-42779 addresses an improper check flaw that allows for allowlist bypass and subsequent code execution, following an incomplete fix for CVE-2026-41635 SecurityWeek.
To fully secure their environments after upgrading to the latest MINA releases, administrators are advised to explicitly define the classes that the decoder will accept within the `ObjectSerializationDecoder` instance. This configuration step is essential to mitigate the risks associated with the deserialization vulnerabilities SecurityWeek.
The recurrence of vulnerabilities in the MINA framework highlights the challenges inherent in remediating complex deserialization and logic flaws. As these components are widely deployed in enterprise infrastructure, organizations should prioritize testing and deploying these updates to prevent potential exploitation of the identified RCE vectors. Monitoring for further guidance from the Apache Software Foundation remains recommended as these updates are integrated into downstream software distributions.