Security teams and administrators have raised inquiries regarding CVE-2026-23918. This specific vulnerability involves a high-severity Double Free and potential Remote Code Execution (RCE) flaw found within the Apache HTTP Server when processing the HTTP/2 protocol.

This article clarifies whether the Symantec DLP Enforce Server console is vulnerable to or impacted by this flaw.

A critical architectural distinction must be made regarding the Symantec DLP deployment stack:

• The Vulnerability Target: CVE-2026-23918 applies exclusively to the C-based Apache HTTP Server (httpd) via its mod_http2 module.
• The DLP Architecture: The Symantec DLP Enforce Server console does not utilize Apache HTTP Server. Instead, it relies entirely on Apache Tomcat, running a Java-based web application stack natively bound to HTTP/1.1.

Hence DLP is not impacted by this vulnerability.

Symantec Data Loss Prevention (DLP) is completely unaffected by CVE-2026-23918.

• Patching Required: No.
• Configuration Changes Required: No.
• Workarounds Required: No.

CVE-2026-23918