Submit finding

All findings

CVE-2026-23918 high

Striga says its Apache httpd scan surfaced CVE-2026-23918

Striga says an open-weights model scan costing under $100 surfaced the Apache HTTP Server 2.4.66 mod_http2 double-free behind CVE-2026-23918; Apache credits Bartlomiej Dmitruk, striga.ai, and Stanislaw Strzalkowski, isec.pl, as finders.

Bug class
HTTP/2 double free with possible remote code execution
Affected codebase
Apache HTTP Server
Credited system
Striga AI
Disclosed
May 4, 2026
Attribution
Self-reported attribution
Severity
high
Source status: Striga's May 6, 2026 write-up supplies the AI-workflow attribution, technical analysis, lab RCE chain, March 26 security-report date, and under-$100 compute-cost claim. Apache's advisory, oss-security, and NVD corroborate the vulnerability, affected version, 2.4.67 fix, and finder credits. The cost claim is now public first-party evidence, not independently audited.

Summary

Apache HTTP Server 2.4.67 fixed CVE-2026-23918, an HTTP/2 double-free issue with possible remote code execution. Apache lists the affected version as 2.4.66 and recommends upgrading to 2.4.67.

Striga’s May 6, 2026 write-up says the bug is in mod_http2 stream cleanup: an early HEADERS-plus-RST_STREAM sequence can push the same h2_stream pointer onto the cleanup array twice, causing apr_pool_destroy to run on already freed memory. Striga says one connection and two HTTP/2 frames are enough to crash a worker process, and that a lab proof-of-concept reaches code execution when paired with known system() and scoreboard addresses.

The Apache advisory and oss-security posting both credit Bartlomiej Dmitruk, striga.ai, and Stanislaw Strzalkowski, isec.pl, as finders. Striga’s timeline says the same crash had been reported to Apache Bugzilla in December 2025 as a stability issue and fixed in trunk, but that Apache httpd 2.4.66 remained the public stable release. Striga says it independently surfaced the bug in 2.4.66 on March 26, 2026, reported it to the Apache security team, and that the security report led to CVE assignment and the 2.4.67 release on May 4, 2026.

NVD records the issue as a double free in Apache HTTP Server with CISA-ADP scoring it CVSS 3.1 8.8 high.

Attribution

This entry remains labeled self-reported. The upstream Apache record is strong evidence that a Striga-affiliated researcher helped find and report the vulnerability. The new Striga write-up adds first-party detail that Striga surfaced the bug during open-source research on Apache httpd 2.4.66, using open-weights models in an end-to-end scan that Striga says cost under $100 in compute.

That is stronger than the earlier social-media-only cost claim, but it is still first-party evidence. Apache, NVD, and oss-security corroborate the vulnerability and finder credits; they do not independently audit Striga’s compute bill or reproduce the exact scan workflow.

Why it matters

Apache httpd is mature, widely deployed infrastructure. A high-severity HTTP/2 memory-safety issue that Striga says was surfaced by an AI-assisted audit for under $100 is therefore a meaningful bugflation signal, even with careful attribution.

The boundary is important: the public evidence now supports Striga’s first-party claim about AI-assisted discovery and audit economics. It does not turn the entry into independently verified cost accounting or proof of full autonomy.

References

Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.