alt3kx/CVE-2026-23918

# CVE-2026-23918 Apache mod_http2 Double-Free 检测器

https://github.com/user-attachments/assets/d6c30e58-548c-4b6d-9ba3-baa667238a58 ``` python3 h2ghost.py -h usage: h2ghost.py [-h] [--host HOST] [--port PORT] [--tls] [--no-tls] [--iterations ITERATIONS] [--burst-n BURST_N] [--timeout TIMEOUT] [--crash-threshold CRASH_THRESHOLD] [--crash-multiplier CRASH_MULTIPLIER] [--crash-min-delta CRASH_MIN_DELTA] [--output OUTPUT] [--check-only] [--skip-check] [--verbose] [TARGET] Apache mod_http2 CVE-2026-23918 - double-free detector positional arguments: TARGET https://host:port http://host host:port host IP options: -h, --help show this help message and exit --host HOST Target host (alt to positional) --port PORT Target port (inferred from scheme/target if omitted) --tls Force TLS/HTTPS (default: auto-detect) --no-tls Force plain TCP / h2c --iterations ITERATIONS --burst-n BURST_N Triggers in check phase (default 10) --timeout TIMEOUT Connection timeout s (default 2.5; use 5+ for internet) --crash-threshold CRASH_THRESHOLD Fallback absolute ms when no baseline (default 150) --crash-multiplier CRASH_MULTIPLIER reconnect/baseline ratio to flag as crash (default 1.3x) --crash-min-delta CRASH_MIN_DELTA min ms above baseline (AND ratio) to flag crash (default 80ms) --output OUTPUT --check-only --skip-check --verbose Crash detection logic --------------------- Trigger connection closing is NORMAL on both servers. A crash requires: PING fails on a FRESH connection AND reconnect > 150 ms (MPM restart delay). Examples -------- python3 h2ghost.py https://127.0.0.1:9443 --check-only python3 h2ghost.py 127.0.0.1:7443 --check-only python3 h2ghost.py 127.0.0.1:9443 --iterations 200 python3 h2ghost.py https://example.com --burst-n 20 ``` # 漏洞概要 | 字段 | 值 | |---|---| | CVE | CVE-2026-23918 | | 严重性 | 高危 | | CVSS | 8.8 | | 组件 | Apache httpd mod_http2 | | 影响 | 拒绝服务 / 潜在 RCE | | 修复版本 | Apache httpd 2.4.67 / mod_http2 2.0.37 | # 技术细节 - **DoS：** 可通过以下方式轻易触发： - `1 个连接` - `2 个 HTTP/2 帧` - **潜在 RCE 利用向量** - APR mmap 分配器 - Debian / Docker 环境 - **修复** - Apache httpd `2.4.67` - mod_http2 `2.0.37` # 致谢 ## 漏洞发现 - Bartlomiej Dmitruk - Striga.ai - Stanislaw Strzalkowski - ISEC.pl ## 检测脚本 - Alex Hernandez aka (@\_alt3kx\_) # 参考 - https://www.cve.org/CVERecord?id=CVE-2026-23918 - https://httpd.apache.org/security/vulnerabilities_24.html - https://github.com/apache/httpd/blob/trunk/CHANGES - https://bz.apache.org/bugzilla/show_bug.cgi?id=69899 # 免责声明 本项目仅供以下用途： - 授权的安全评估 - 防御性测试 - 教育研究 在未获得明确书面授权的情况下对系统进行测试可能违反相关法律法规。 作者对滥用行为不承担任何责任。

标签：Apache, CISA项目, CVE-2026-23918, Double-Free, HTTP/2, Maven, mod_http2, PoC, Python3, 双重释放, 崩溃检测, 暴力破解, 漏洞验证, 编程工具, 网络安全, 远程代码执行, 隐私保护