CVE-2026-23918 is a double-free vulnerability in mod_http2's h2_mplx.c, scoring CVSS 8.8. Apache HTTP Server 2.4.66 is affected; the fix ships in 2.4.67, released in May 2026. Researchers at Striga.ai and ISEC.pl discovered the flaw. The Prefork MPM is unaffected because it does not use the shared multiplexer code path; Worker and Event MPMs are vulnerable. Denial of service is trivially achievable against any affected instance serving HTTP/2. On systems using an mmap-backed allocator — which includes Debian-derived distributions and the official Apache httpd Docker images — the double-free is practically exploitable for remote code execution. Operators running Apache 2.4.66 with HTTP/2 enabled should upgrade to 2.4.67 immediately; those unable to patch should disable mod_http2 as an interim measure.