Apache HTTP 2.4.17 to 2.4.38 is vulnerable to a local root exploit when mod_prefork, mod_worker and mod_event are used:
https://httpd.apache.org/security/vulnerabilities_24.html
We are hearing reports of exploit(s) already being produced and strongly recommend that everyone update to Apache HTTP 2.4.39 as soon as possible - especially in shared hosting environments!
https://www.apache.org/dist/httpd/Announcement2.4.html
https://www.zdnet.com/article/apache-web-server-bug-grants-root-access-on-shared-hosting-environments/