This is a Use-After-Free (UAF) flaw in the scoreboard. A less-privileged child process (like a PHP script) can manipulate the shared memory to gain root privileges when the server performs a graceful restart.
I can summarize known issues and exploitation details for Apache HTTPD 2.4.18 and point out mitigations. I'll assume you want a concise technical report-style summary — here it is. apache httpd 2.4.18 exploit
Trending CVEs for the Week of April 8th, 2019 - Blog - NopSec This is a Use-After-Free (UAF) flaw in the scoreboard