Toggle sidebar

HTTP/2 VULNERABILITY

impeeza

impeeza

¡Kabito!
Member
Level 40
Joined
Apr 5, 2011
Messages
10,552
Solutions
3
Reaction score
31,462
Trophies
6
Age
48
Location
At my chair.
XP
39,887
Country
Colombia
Fellow tempers be aware of a new vulnerability affecting almost all webservers, the CVE-2026-49975 (reserved link) is a remote denial‑of‑service vulnerability known as the “HTTP/2 Bomb,” which exploits how HTTP/2 handles header compression and connection flow control to force servers to allocate and retain excessive memory from very small requests. By combining HPACK compression amplification with stalled connections, an attacker can exhaust tens of gigabytes of memory in seconds using minimal bandwidth, making systems unresponsive.

In short, this exploit enables low-cost, high-impact denial-of-service conditions against exposed HTTP/2 services.

Platform(s) and Version(s) Affected:

[TABLE=full]
[TR]
[td]Platform(s)[/td][td width="191.35pt"]Vulnerable Version(s)[/td][td width="177.2pt"]Patched Stable Version(s)[/td]
[/TR]
[TR]
[td width="148.6pt"]Nginx[/td][td width="191.35pt"]<1.29.8[/td][td width="177.2pt"]1.30.2[/td]
[/TR]
[TR]
[td]Apache httpd[/td][td]All HTTP/2-enabled builds[/td][td]Fix is provided at the module level[/td]
[/TR]
[TR]
[td]Microsoft IIS[/td][td]All HTTP/2-enabled builds[/td][td]Fix is not yet available[/td]
[/TR]
[TR]
[td]Envoy Proxy[/td][td]<1.39[/td][td]Envoy Advisory[/td]
[/TR]
[TR]
[td]Cloudflare Pingora[/td][td]No official announcement[/td][td]Fix not yet available[/td]
[/TR]
[/TABLE]

Active Exploits:

There is no evidence that the vulnerability has been actively exploited in the wild. However, public proof-of-concept (PoC) code and technical details are available, lowering the barrier for potential exploitation and increasing the likelihood of rapid weaponization.

References:

 

Site & Scene News

Go to forum More news

Popular threads in this forum

Gaming Apple Android  Nintendo reveals their newest mobile game to release soon

Emulation  CEMU high threat alert on Linux

Sony agreed to a $7.85 million class action settlement to resolve claims it violated federal antitrust laws by monopolizing the digital game market

Megaman X for the SNES gets native PC Port

Gaming  Bubsy 4D releases to less-than-spectacular reviews

Forza Horizon 6 Files Reportedly Leak Through Steam Ahead of Release

Neon Odyssey - Official Announcement

Simpsons Hit & Run Android Port