Impact statement: CVE-2026-23918 affects Apache HTTP Server 2.4.66 with HTTP/2 support. Apache describes it as a double-free issue with possible remote code execution risk, and cPanel has published EasyApache 4 update guidance for WHM/cPanel servers. If you run public hosting, reseller hosting, agency hosting, or customer-facing Apache behind WHM/cPanel, treat this as a fast patch item.
This guide is written for defenders and server owners. It covers who is affected, what to update, how to verify the patch safely, what logs to review, and what to tell customers. It keeps abuse detail out of the public article.
Who Is Affected
- WHM/cPanel servers using EasyApache 4 with Apache HTTP Server 2.4.66.
- Internet-facing hosting nodes where HTTP/2 is enabled or available through the Apache build.
- Shared hosting, reseller hosting, agency hosting, and managed VPS fleets where one Apache restart can affect many customer sites.
- Any server where EasyApache packages are pinned, excluded, mirrored, or delayed by a package-management policy.
Apache lists Apache HTTP Server 2.4.66 as affected and says 2.4.67 fixes the issue. cPanel says to update EasyApache 4 packages, and its advisory includes AlmaLinux, CloudLinux, Imunify360, and Ubuntu notes. If your hosting server is still reporting Apache 2.4.66 after updates, do not assume it is safe just because the package manager says there is nothing to do. Check the active repositories, EasyApache profile, and cPanel update tier.
Patch WHM/cPanel On AlmaLinux
Plan a short maintenance window first. Apache may restart, and hosted sites can see a brief interruption while the new package is installed and services reload.
/usr/local/cpanel/cpanel -V
httpd -v
rpm -q ea-apache24 ea-apache24-mod_http2 2>/dev/null || true
dnf clean all
dnf makecache
dnf -y update 'ea-apache24*'
/scripts/restartsrv_httpd --hard
httpd -v
httpd -M | grep -i http2 || true
rpm -q ea-apache24 ea-apache24-mod_http2 2>/dev/null || true
After the update, confirm Apache no longer reports 2.4.66. If your server still shows the affected version, check for excluded packages in DNF, a stale local mirror, a locked EasyApache package, or a delayed CloudLinux channel.
Patch WHM/cPanel On Ubuntu
For cPanel servers on Ubuntu, use the EasyApache package path and verify the installed Apache build after the upgrade.
/usr/local/cpanel/cpanel -V
httpd -v
apt update
apt install --only-upgrade 'ea-apache24*'
/scripts/restartsrv_httpd --hard
httpd -v
httpd -M | grep -i http2 || true
If you manage many Ubuntu cPanel systems, verify each host individually. Do not assume one successful host means every node pulled the same EasyApache package.
CloudLinux And Imunify360 Notes
cPanel’s advisory includes repo-specific notes for CloudLinux and Imunify360 environments. On production hosting servers, confirm the correct channel for your fleet before enabling a testing or beta repository. If CloudLinux, Imunify360, or a local mirror is delaying the EasyApache build, document which machines remain on Apache 2.4.66 and prioritize a controlled patch path.
Temporary Mitigation If You Cannot Patch Immediately
The right fix is still the EasyApache update. If a business-critical server cannot be patched immediately, consider temporarily disabling HTTP/2 for Apache through WHM/EasyApache or your approved Apache configuration process, then restart Apache and verify customer sites still load. Use this only as a bridge to the package update, not as a permanent substitute for patching.
Safe Verification Checklist
- Confirm the cPanel version with
/usr/local/cpanel/cpanel -V. - Confirm the Apache version with
httpd -v. - Confirm EasyApache package versions with
rpm -q ea-apache24 ea-apache24-mod_http2on RPM-based hosts. - Run
httpd -tbefore and after configuration changes. - Test one owned customer or staging hostname after the restart, including HTTPS and a normal page load.
- Recheck monitoring for Apache restarts, 5xx spikes, TLS errors, and customer-facing availability alerts.
Logs Defenders Should Review
Review the Apache error log, domain-level logs for high-value customers, cPanel update logs, and service monitoring around the patch window. You are looking for repeated Apache worker crashes, unusual restart patterns, 5xx bursts, and sites that failed after the package update. Keep the review practical and operational: patch, verify, watch, and communicate.
tail -n 200 /usr/local/cpanel/logs/error_log
tail -n 200 /var/log/apache2/error_log 2>/dev/null || true
tail -n 200 /etc/apache2/logs/error_log 2>/dev/null || true
tail -n 200 /var/cpanel/updatelogs/latest 2>/dev/null || true
Do The Exim Maintenance While You Are There
cPanel also published a May 2026 Exim security update covering CVE-2026-40684, CVE-2026-40685, CVE-2026-40686, and CVE-2026-40687. If you are already scheduling a WHM/cPanel security window, include mail service verification too.
/scripts/upcp --force
exim -bV | head -n 1
/scripts/restartsrv_exim --restart
exim -bp | head
For hosting providers, this is also a good time to confirm outbound mail monitoring, queue health, and backup MX behavior. Keep mail customers informed if the restart window may briefly affect delivery.
Customer Communication
For managed hosting customers, a plain note is enough: Apache and mail-server security updates are being applied, sites may briefly restart, and no customer action is needed unless they manage their own VPS or custom Apache stack. For self-managed VPS customers, tell them to confirm Apache is no longer 2.4.66 and to apply the matching OS or EasyApache updates themselves.
