HTTP/2 VULNERABILITY

[impeeza]

Fellow tempers be aware of a new vulnerability affecting almost all webservers, the CVE-2026-49975 (reserved link) is a remote denial‑of‑service vulnerability known as the “HTTP/2 Bomb,” which exploits how HTTP/2 handles header compression and connection flow control to force servers to allocate and retain excessive memory from very small requests. By combining HPACK compression amplification with stalled connections, an attacker can exhaust tens of gigabytes of memory in seconds using minimal bandwidth, making systems unresponsive.

In short, this exploit enables low-cost, high-impact denial-of-service conditions against exposed HTTP/2 services.

Platform(s) and Version(s) Affected: ​

[TABLE=full]
[TR]
[td]Platform(s)[/td][td width="191.35pt"]Vulnerable Version(s)[/td][td width="177.2pt"]Patched Stable Version(s)[/td]
[/TR]
[TR]
[td width="148.6pt"]Nginx[/td][td width="191.35pt"]<1.29.8[/td][td width="177.2pt"]1.30.2[/td]
[/TR]
[TR]
[td]Apache httpd[/td][td]All HTTP/2-enabled builds[/td][td]Fix is provided at the module level[/td]
[/TR]
[TR]
[td]Microsoft IIS[/td][td]All HTTP/2-enabled builds[/td][td]Fix is not yet available[/td]
[/TR]
[TR]
[td]Envoy Proxy[/td][td]<1.39[/td][td]Envoy Advisory[/td]
[/TR]
[TR]
[td]Cloudflare Pingora[/td][td]No official announcement[/td][td]Fix not yet available[/td]
[/TR]
[/TABLE]

Active Exploits: ​

There is no evidence that the vulnerability has been actively exploited in the wild. However, public proof-of-concept (PoC) code and technical details are available, lowering the barrier for potential exploitation and increasing the likelihood of rapid weaponization.

References:​

• CVE-2026-49975 (reserved link)
• Envoy Advisory
• Calif - security research disclosure
• Nginx security updates
• HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora