CVE-2026-49975 HTTP/2 Bomb Critical DoS

A critical denial-of-service vulnerability, tracked as CVE-2026-49975, impacts multiple vendors' HTTP/2 implementations, including Apache httpd, NGINX, Microsoft IIS, Envoy, and Cloudflare Pingora. This "HTTP/2 Bomb" exploit uses a new combination of compression and slow-read techniques to trigger severe memory exhaustion on vulnerable servers. While a specific CVSS score for CVE-2026-49975 has not been publicly assigned, the reported impact on server resources indicates a critical severity.

Security firm Calif publicly disclosed full details and Proof-of-Concept (PoC) exploit code for this vulnerability on June 3, 2026. The widespread availability of this exploit code increases the immediate risk of active exploitation against unpatched systems. Organizations operating any of the affected web server platforms must prioritize remediation efforts to prevent service disruption.

This vulnerability allows a remote attacker to consume substantial server memory with minimal network traffic, potentially paralyzing enterprise data centers using basic internet connections. The attack bypasses traditional defense mechanisms designed to prevent out-of-bounds data payloads.

What is the HTTP/2 Bomb Vulnerability (CVE-2026-49975)?

The HTTP/2 Bomb vulnerability, CVE-2026-49975, is a denial-of-service exploit that combines two long-standing infrastructure manipulation techniques: a compression bomb and a Slowloris-style hold. The attack primarily targets HPACK, the header compression framework central to modern HTTP/2 protocol configurations. By exploiting HPACK, a malicious actor can transmit a single byte over the wire that expands into a significant memory allocation block on the receiving server. This amplification occurs due to the server's per-entry bookkeeping overhead for nearly empty headers, a mechanism that bypasses standard volumetric data payload filters.

The core of the attack involves sending specially crafted HTTP/2 headers that, despite their minimal wire size, force the server to allocate substantial memory for internal tracking. This process generates a high memory amplification ratio. The attacker maintains a zero-byte flow-control window for the connection, preventing the server from releasing the allocated memory. Tiny, periodic update signals are transmitted by the attacker to bypass standard connection timeouts, ensuring the memory remains pinned indefinitely. This sustained pressure pushes the host environment into heavy swap space cycles, leading to severe performance degradation rather than an immediate process crash, thereby increasing disruption.

Impact

The HTTP/2 Bomb exploit, tracked as CVE-2026-49975, is a serious threat, enabling attackers to achieve severe denial-of-service conditions through rapid memory exhaustion. The primary risk is the ability of a remote adversary to paralyze an unprotected enterprise data center using minimal resources, such as a basic home internet connection.

A single client exploiting this vulnerability against Apache httpd and Envoy could consume and hold 32GB of server memory in approximately 20 seconds. This level of resource consumption quickly overwhelms system capabilities, leading to heavy swap utilization and rendering legitimate user requests unresponsive. The attack's design, which uses a zero-byte flow-control window and periodic update signals, ensures that the consumed memory remains locked, preventing standard connection timeouts from resolving the issue.

The vulnerability affects the default configurations of most modern web servers. Shodan search parameters indicate that over 880,000 active public web portals currently expose the vulnerable HTTP/2 protocol configuration. Organizations whose services rely on HTTP/2-enabled web servers are at high risk of operational disruption, reputational damage, and financial losses due to service outages. The ability to induce such widespread and persistent resource exhaustion with minimal effort categorizes this vulnerability as high impact. Our prior analysis of a massive DDoS attack against a hosting provider illustrates similar widespread operational disruption.

Exploitation Chain

The exploitation of CVE-2026-49975 is initiated remotely over the HTTP/2 protocol. The attack does not require any prior authentication or special privileges. The primary preconditions for successful exploitation are the presence of a web server configured to use HTTP/2 and its susceptibility to the HPACK compression bomb and Slowloris-style hold techniques.

The attack vector involves two chained techniques:

  1. HPACK Compression Bomb: The attacker sends HTTP/2 headers that are very small in wire size but are crafted to trigger large memory allocations on the server. This occurs due to the server's internal bookkeeping for each header entry during decompression. The malicious headers cause an exponential expansion of memory usage.
  2. Slowloris-style Hold: Once memory is allocated, the attacker uses a zero-byte flow-control window and sends tiny, periodic data frames. This prevents the server from timing out the connection and releasing the consumed memory. The memory remains pinned, gradually driving the server into resource exhaustion and heavy swap utilization.

Public Proof-of-Concept (PoC) exploit scripts are now accessible online via the califio/publications/tree/main/MADBugs/http2-bomb repository. The availability of these scripts lowers the barrier for attackers to use this vulnerability. Automated intelligence systems can easily transform these public source differentials into active network payloads, indicating a high probability of widespread exploitation.

Affected Products and Versions

The HTTP/2 Bomb vulnerability, CVE-2026-49975, affects the default configurations of many modern web servers utilizing HTTP/2. The research specifically identifies the following platforms as vulnerable or having been assessed for the flaw:

  • Apache httpd: Affected. An emergency patch addressing CVE-2026-49975 was deployed on May 27, 2026. Prior versions are vulnerable.
  • NGINX: Affected. The NGINX open-source team integrated an advanced header counting directive into their latest software build to mitigate the issue. Versions prior to this update are vulnerable.
  • Envoy: Affected. As of the disclosure date, formal security updates for Envoy were not yet available.
  • Microsoft IIS: Affected. As of the disclosure date, formal security updates for Microsoft IIS were not yet available.
  • Cloudflare Pingora: Affected. As of the disclosure date, formal security updates for Cloudflare Pingora were not yet available.

The widespread nature of this vulnerability across different server implementations shows a fundamental issue within the HTTP/2 HPACK compression mechanism when combined with resource holding techniques. Organizations operating these unpatched systems remain exposed to severe denial-of-service attacks.

Detection

Detecting exploitation attempts related to CVE-2026-49975 requires monitoring for anomalous resource consumption and network traffic patterns on HTTP/2-enabled web servers. Due to the nature of the attack, which involves memory amplification with minimal incoming data, traditional signature-based detection focused on payload size may be insufficient.

Concrete detection guidance includes:

  • System Resource Monitoring:
  • Monitor the memory usage of web server processes (e.g., httpd, nginx, envoy, w3wp.exe). Look for sharp, sustained increases in Resident Set Size (RSS) or Virtual Memory Size (VSZ) without a corresponding increase in legitimate request volume or bandwidth.
  • Observe system-wide swap space utilization. A sudden and large increase in swap activity on a web server host, especially if persistent, is a strong indicator of memory exhaustion, potentially due to CVE-2026-49975 or similar resource starvation attacks.
  • Monitor CPU utilization, which may spike due to increased paging activity as the system struggles with memory pressure.
  • Network Flow Analysis:
  • Look for HTTP/2 connections that maintain a long duration but exhibit low data transfer rates after the initial connection establishment. This could indicate the Slowloris-style hold component of the attack.
  • Analyze HTTP/2 header frames. While difficult without deep packet inspection capabilities, patterns of numerous small header frames that lead to high server memory consumption should be investigated.
  • EDR/Host-based Telemetry:
  • EDR solutions can be configured to alert on web server processes consuming large amounts of memory (e.g., >80% of allocated memory, or sustained >X GB per process).
  • Monitor for instances where web server processes approach or hit defined ulimit or cgroup memory thresholds, indicating resource contention.
  • Log Signatures (Indirect):
  • While direct exploitation logs may not be immediately evident, application and system logs may show signs of service degradation, such as increased request latency, connection timeouts for legitimate users, or process restarts due to resource limits being hit.
  • Web access logs may show a high number of open connections from a single source IP that remain open for extended periods without much data exchange.

Organizations should prioritize the establishment of baseline resource usage for their HTTP/2 services to more readily identify deviations caused by this or similar attacks.

Remediation

Remediation for CVE-2026-49975 involves applying vendor-provided patches or implementing mitigating controls where patches are not yet available. Given the public availability of PoC exploit code, immediate action is advised.

  • Patching:
  • Apache httpd: Apply the emergency patch released on May 27, 2026, which addresses CVE-2026-49975. System administrators should consult Apache's official security advisories for specific version updates and instructions.
  • NGINX: Update to the latest software build that includes the advanced header counting directive. Refer to NGINX's official documentation and security announcements for updated versions.
  • Microsoft IIS, Envoy, Cloudflare Pingora: As of the disclosure date, formal security updates for these platforms were not publicly available. Organizations utilizing these products must implement the described workarounds and mitigations immediately.
  • Workarounds & Mitigations (for unpatched systems):
  • Disable HTTP/2 Protocol: If your operational environment can tolerate the protocol shift, reverting perimeter configurations to classic HTTP/1.1 protocols will completely eliminate the exploit path. This is a very effective, albeit potentially impactful, workaround. Our analysis of CVE-2026-23918 affecting Apache HTTP/2 offers more information on HTTP/2 vulnerabilities.
  • Implement Intermediate Gateway with Header Limits: Front vulnerable infrastructure with an intermediate gateway (e.g., a load balancer, WAF, or reverse proxy) that can enforce a strict maximum cap on incoming HTTP/2 header fields. This limits the potential for amplification of the attack.
  • Apply Strict Container Resource Constraints: For services running in containerized or virtualized environments, enforce strict memory limits using tools like Linux cgroups or ulimit. Configuring the kernel to terminate a malicious worker process quickly once it exceeds memory limits is a better failure mode than allowing an attacker to hold the entire machine at 95% resource utilization. This strategy prioritizes process isolation and system stability.
  • Monitoring: Continuously monitor system resources (CPU, memory, swap) and network traffic patterns on web servers for anomalies that could indicate an attempted or ongoing attack. Implement alerting for sudden spikes in memory usage or sustained low-bandwidth connections.

Organizations should review their architecture to determine the most appropriate and effective remediation strategy, prioritizing patching where available and implementing strong mitigations otherwise.

Technical Takeaways

  • CVE-2026-49975 is a critical HTTP/2 denial-of-service vulnerability using HPACK compression and Slowloris-style resource exhaustion.
  • The attack achieves high memory amplification, allowing a single client to consume tens of gigabytes of server memory (e.g., 32GB in 20 seconds for Apache httpd and Envoy).
  • Public Proof-of-Concept (PoC) exploit code is available, increasing the immediate risk of widespread exploitation.
  • The vulnerability affects major web server platforms, including Apache httpd, NGINX, Microsoft IIS, Envoy, and Cloudflare Pingora, with over 880,000 public web portals potentially exposed.
  • Remediation includes applying vendor patches (Apache and NGINX have released updates or directives) and implementing mitigations like disabling HTTP/2, enforcing header limits via gateways, or setting strict memory resource constraints.