How exposed is Switzerland to CVE-2026-23918?
7'141 Swiss servers run Apache 2.4.66 the day after CVE-2026-23918. Only 14.8% have HTTP/2 enabled, the actual exploit gate. Inside our 749 host probe.
CVE-2026-23918 was published yesterday. By this morning we wanted to know how much of the Swiss internet was sitting on the affected version. The short answer is 7'141 hosts, the long answer is more interesting, and the part that should reassure most operators is that only about 290 of those are actually exploitable.
The numbers in one table
| Measurement | Value |
|---|---|
Swiss hosts advertising Apache/2.4.66 | 7’141 |
| Share of all Swiss Apache | 11.4% (7’141 of 62’882) |
Confirmed h2 ALPN in our 749 host TLS probe | 111 (14.8%) |
Negotiated http/1.1 only, safe from this CVE | 575 (76.8%) |
| Estimated truly exploitable on TLS in Switzerland | ~290 |
| Already on the patched 2.4.67 in our probe | 2 |
| Largest concentration in confirmed exploitable cohort | ARONET GmbH, 38 of 111 (34%) |
| Per million population, vs DACH neighbours | CH 821, DE 1’188, AT 507 |
Snapshot taken on 2026-05-05, roughly 24 hours after Apache published the fix in 2.4.67.
What CVE-2026-23918 actually is
The Apache HTTP Server team disclosed CVE-2026-23918 on 2026-05-04. It is a double free in mod_http2, triggered by an HTTP/2 early stream reset, that can lead to remote code execution. CVSS 8.8. The affected version range is narrow: only Apache 2.4.66 carries the bug. Earlier 2.4.x releases use an older mod_http2 codebase without the racing call sites. The fix is in 2.4.67. If you cannot upgrade immediately, the published mitigation is to drop h2 from the Protocols directive, which disables HTTP/2 negotiation entirely.
The bug was reported privately on 2025-12-10 by Bartlomiej Dmitruk (striga.ai) and Stanislaw Strzalkowski (isec.pl), and was fixed in trunk the next day. The public release was held until 2026-05-04. Apache 2.4.66 had been the latest stable for roughly 5 months. Anyone who upgraded promptly during that window landed on the regression. We covered the technical detail of the bug separately in our CVE-2026-23918 explainer.
How we measured it
Two parts.
Part 1, Shodan facets and banners. We pulled two Shodan queries on 2026-05-05:
country:CH "Server: Apache/2.4.66" -> 7'141 hosts
country:CH product:"Apache httpd" -> 62'882 hostsThe first is the version specific count. The second is the denominator. We then downloaded the full banner records for the 7’141 set (capped at 3’800 records by the per query API limits, deduped to 2’910 unique IP and port pairs). We also took the equivalent country counts for DE, FR, AT, IT, GB, and US to put Swiss exposure in regional context.
Part 2, scoped active probe. Shodan’s banner does not consistently capture ALPN, and ALPN is the actual gate for this CVE. So we ran a small probe of our own, scoped tight on purpose:
- One TLS handshake per host with
ALPN: h2, http/1.1and observe the negotiated protocol. - One
GET /to recover the liveServerheader, in case a host had upgraded to 2.4.67 between Shodan’s last scan and ours. - No POST, no authentication, no exploit payloads, no
/server-status, no follow up requests. - Custom
User-Agentidentifying the probe, with a contact mailbox.
We probed all 749 hosts on TLS ports (443, 8443, 4443, 9443) from the deduped sample. The plaintext port 80 set was not actively probed, since HTTP/2 cleartext (h2c) on port 80 is uncommon in production Apache deployments.
The probe was run with 64 threads and a 6 second per host timeout. Total wall time roughly 2 minutes. All scripts and raw artifacts are kept locally; no exploit code exists in the workflow.
What the probe actually showed
In the 749 host TLS sample:
| Outcome | Count | Share |
|---|---|---|
Negotiated h2 (HTTP/2 enabled) | 111 | 14.8% |
Negotiated http/1.1 only | 575 | 76.8% |
| TLS error or timeout | 63 | 8.4% |
Apache 2.4.66 with HTTP/2 disabled is not exploitable through this CVE. So 575 of the 749 hosts we looked at are running the affected version but the protocol mitigation is already in place by accident or by config. Another 63 fell at the TLS layer (timeout, certificate problem, host gone away).
If we extrapolate the 14.8% rate to the full 1’955 TLS served Swiss Apache/2.4.66 population, we get a realistic exploitable count of roughly 290 hosts on TLS, plus an unknown smaller number of plaintext h2c on port 80 that we did not measure. That is a much smaller number than the 7’141 banner count, and a more honest one to plan around.
Apache 2.4.66 is the most common Apache version on the Swiss internet
Of all Swiss hosts that Shodan classifies under product:"Apache httpd", version 2.4.66 is the single most common build. The top 10 versions:
| Version | Hosts | Status |
|---|---|---|
| 2.4.66 | 6’062 | vulnerable to this CVE |
| 2.4.58 | 4’689 | not vulnerable |
| 2.4.52 | 2’131 | not vulnerable |
| 2.4.62 | 1’538 | not vulnerable |
| 2.4.41 | 1’517 | not vulnerable |
| 2.4.6 | 1’415 | end of life branch |
| 2.4.65 | 1’403 | not vulnerable |
| 2.4.25 | 790 | end of life |
| 2.4.29 | 768 | end of life |
| 2.2.22 | 642 | end of life since 2017 |
The 2.4.x long tail and the 2.2.x leftovers are a separate story (ancient Apache running on the Swiss internet, surfaces for a different CVE every other quarter), but they are not in scope for CVE-2026-23918.
What matters for today is that 2.4.66 is the most popular release, and it is the one that shipped the regression. Operators with good patch hygiene moved early and were punished.
Hosting concentration is the real story
Looking at the 7’141 host facet by ASN, a small number of providers carry most of the exposure:
| ASN | Operator | Hosts on 2.4.66 | Share of CH |
|---|---|---|---|
| AS6730 | Sunrise GmbH | 1’233 | 17.3% |
| AS16509 | Amazon (CH region) | 864 | 12.1% |
| AS396982 | Google Cloud (Zurich) | 824 | 11.5% |
| AS29222 | Infomaniak Network SA | 813 | 11.4% |
| AS3303 | Swisscom | 408 | 5.7% |
| AS559 | SWITCH (academic backbone) | 357 | 5.0% |
| AS13030 | Init7 (Switzerland) | 223 | 3.1% |
| AS207143 | hosttech / ARONET | 210 | 2.9% |
The top 4 ASNs together host more than half (52%) of the entire Swiss Apache/2.4.66 footprint. A coordinated rolling upgrade from any of Sunrise, Amazon CH, Google Cloud Zurich, or Infomaniak would close most of the population in one motion.
The pattern gets sharper inside our confirmed exploitable cohort, where we know HTTP/2 is on. Of the 111 hosts that explicitly negotiated h2:
| Operator | Confirmed exploitable hosts |
|---|---|
| ARONET GmbH (AS207143) | 38 (34%) |
| Infomaniak Network SA | 16 (14%) |
| Iway AG | 3 |
| Fiber7 | 3 |
| Swisscom | 4 |
| ETH/UNIZH Camp Net | 2 |
| Everyone else | 45 |
ARONET GmbH alone accounts for one third of the entire confirmed exploitable Swiss population. Most of those 38 hosts sit inside a single 185.35.28.0/24 block, with reverse DNS pointing at customer domains (a small equestrian shop, a podiatrist, a handful of agency sites). This is a multi tenant managed hosting cluster running 2.4.66 with HTTP/2 enabled at the operator level. One coordinated upgrade from ARONET resolves a third of the confirmed exploitable population in Switzerland by itself.
Infomaniak’s 16 confirmed exploitable hosts follow the same shape: shared hosting customer domains, one operator pushing the upgrade fixes everyone behind it.
Sector findings
We classified each host by sector using a combination of org name, ISP, certificate fields, and DNS. The classifier is heuristic, not perfect, and the “the absence of a thing” claims in this section are bounded by what hostnames and certificates expose to the internet.
In the confirmed exploitable cohort of 111 hosts:
- 79 fall into “other” (mostly small business sites and miscellaneous web infrastructure)
- 30 are telco/ISP customer space
- 2 are commercial hosting
Notably absent from the exploitable cohort: any major Swiss bank (UBS, Raiffeisen, PostFinance, ZKB, BCV, BCGE, Migros Bank, Swissquote, SIX), any major hospital network (Insel, USZ, CHUV, HUG, Hirslanden), and any *.admin.ch or other federal hostname. Two academic hosts surfaced: nexttest.ethz.ch and auth-staging.vseth.ethz.ch at ETH Zurich, and innoguard-winter-school-2025.inf.unibe.ch at the University of Bern computer science department. Both ETH hosts look like staging or test infrastructure, the Bern host like a course microsite.
The interesting angle is what the broader candidate set turned up, even where HTTP/2 was disabled. The Swiss Federal Office for Information Technology (FOITT) runs Apache 2.4.66 on six PKI registration authority hosts at ra.pki.admin.ch and ra.a-pki.admin.ch. All six were probed, all six negotiated http/1.1 only. The federal PKI is on the affected version but the protocol mitigation is already in place. That is exactly the configuration the Apache advisory recommends as a temporary workaround.
It is also a useful real world data point: a high value target was running the vulnerable build on patch day, and the difference between a finding and a non finding came down to one config line.
How Switzerland compares to the neighbourhood
Globally, Shodan returns 675’153 hosts on Apache/2.4.66. Switzerland is 1.06% of that worldwide pool, close to its share of European internet exposure overall. By raw count Switzerland is small. By per capita exposure it is not.
| Country | Hosts on 2.4.66 | Per million population |
|---|---|---|
| Germany | 100’269 | 1’188 |
| Switzerland | 7’141 | 821 |
| France | 52’774 | 780 |
| United States | 180’625 | 544 |
| Austria | 4’567 | 507 |
| United Kingdom | 20’798 | 310 |
| Italy | 13’218 | 224 |
Per capita, Switzerland sits second behind Germany inside DACH, and ahead of France, the UK, and the US in the broader sample. The 821 per million number is partly a function of how many Swiss SMBs run their own self managed Apache, and partly a result of the small Swiss managed hosting market being concentrated in a handful of operators that all happened to deploy 2.4.66.
Day 1 patching response
Two of the 749 TLS hosts we probed had already moved to Apache 2.4.67 by the time we ran our probe. Two. The rest of the patch window is wide open. The first 24 hours after public disclosure are usually the slowest, with most operators rolling updates over the first week. Expect the curve to steepen as distribution maintainers ship backported packages and as automation pulls them down.
We have not seen any reporting of active exploitation in the wild. CVE-2026-23918 is not on the CISA Known Exploited Vulnerabilities catalog as of writing. No public proof of concept has been published. No mainstream tracker (Mandiant, Unit 42, MSTIC, Volexity) has named an actor against this CVE. The closest analogue is CVE-2023-44487, the HTTP/2 Rapid Reset DDoS, which was weaponised within days of disclosure. This new bug shares the protocol surface and the trigger pattern, but unlike Rapid Reset it leads to memory corruption rather than resource exhaustion, which raises the value of the primitive for an attacker.
A reasonable expectation is that proof of concept code surfaces within a week and that opportunistic scanning starts shortly after. Operators with HTTP/2 on and 2.4.66 deployed should treat the patch as urgent. Everyone else has a week or two of breathing room.
What this means if you operate Apache in Switzerland
For an SMB or MSP running their own Apache, the playbook is short and specific.
Run apachectl -v on every box you operate. Anything that returns Server version: Apache/2.4.66 is in scope. For each one, check whether mod_http2 is loaded (apachectl -M | grep http2) and whether HTTP/2 is offered (grep -RiE "Protocols.*h2c?" /etc/apache2 /etc/httpd). If any of those pull positive, you are exposed.
The fix is apt install apache2 or dnf upgrade httpd after your distribution publishes 2.4.67. If the package is not yet there, the one line workaround is Protocols http/1.1 in your main config or your virtual host, then systemctl restart apache2. Verify with curl --http2 -I https://your-domain that HTTP/2 negotiation now falls back to 1.1.
For shared hosting customers on Sunrise, Infomaniak, ARONET (exenti.ch cluster), hosttech, Iway, and similar Swiss operators, this is fundamentally an operator side fix. If your site runs on managed hosting you cannot ship the patch yourself. The right move is a polite ticket asking your provider for the rollout schedule for 2.4.67. Cite the CVE number; they will know what you mean.
For SWITCH and the broader academic sector, 357 instances on AS559 is enough to warrant a coordinated CSIRT advisory. Many of those are managed independently by departments and labs. A central nudge through the SWITCH security mailing list closes the long tail faster than waiting for each lab to notice.
Caveats and limits
The numbers above are a single point in time snapshot at 18:00 CEST on 2026-05-05. Shodan rescans constantly, so day to day movement of plus or minus 5% is normal. The 24 hour patch uptake number will look very different next week.
The full banner download was capped at 3’800 records by the API. Sector breakdowns based on the 2’910 deduped sample should be treated as scaled estimates rather than exact counts. The HTTP/2 detection covers TLS endpoints only. Plaintext h2c on port 80 was not measured; the population of h2c production Apache deployments is small, but it is non zero.
Sector classification by hostname and certificate is heuristic. A hospital with no spital or hopital substring in DNS or cert will be tagged as “other”. The “no major bank or hospital” finding is therefore an absence of evidence in our chosen indicators, not a strong claim of absolute absence. The federal PKI-RA hosts were caught only because their hostnames are ra.pki.admin.ch and ra.a-pki.admin.ch; an admin.ch host with a non admin.ch certificate would have been missed.
Geographic coordinates from Shodan are operator level (ASN registration city), not necessarily where a box physically sits.
Where Sentinel fits
The exercise above takes a couple of hours of focused work for one analyst across one country. We do this kind of thing because most of our customers do not have time to. Sentinel scans your public IP space, fingerprints the Apache version from the Server header and the TLS handshake, and tells you whether you are on 2.4.66 with HTTP/2 enabled. The free scan finishes in 30 to 60 minutes and is delivered as a written report a manager without a security background can read without an interpreter.
If you are an MSP with several clients, the partner program lets you hand the scan and the report through under your own brand. Multi tenant managed hosting clusters like the ARONET pattern above are exactly where the value compounds: one scan surfaces every customer who would otherwise have been a separate ticket.
Reproducibility
The Shodan queries above can be run by anyone with a Shodan account. The probe scripts use only public web requests with no authentication and no exploit payloads. We are happy to share the methodology and the per host CSV with researchers and CSIRTs on request; the underlying IPs are already in Shodan’s public catalogue.
The patch is small. Knowing where to apply it remains the part most teams get wrong. The Swiss internet has a week, give or take, before the easy phase of this CVE ends and the awkward one begins.