CVE-2026-49975 — HTTP/2 Bomb: HPACK amplification + Slowloris chains to single-connection RAM exhaustion, patch status split by server

Disclosed 3 June via oss-security by researcher Calif, who discovered the bug using OpenAI's Codex (Calif/oss-security; deep-dived 2026-06-04 daily; NCSC-CH advisory 12610). The attack combines two HTTP/2 protocol weaknesses: seeding the server's HPACK dynamic header-compression table with a large entry then sending thousands of single-byte back-references forces massive decoded-size reconstruction, while Slowloris-style connection holding prevents memory from being freed. Measured amplification ratios at 32 GB RAM: Envoy ~5,700:1 (exhausted in ~10 s), Apache httpd ~4,000:1, nginx ~70:1. PoC public. Patch status as of 7 June: nginx — fixed in 1.29.8 (http2_max_field_size directive); Apache mod_http2 — fixed in standalone v2.0.41 but not yet bundled into an httpd 2.4.x release, requiring manual installation; Microsoft IIS, Envoy, Cloudflare Pingora — no patch. Researchers estimate over 880,000 public-facing servers exposed. No confirmed in-the-wild exploitation. For defenders: upgrade nginx ≥1.29.8; install standalone mod_http2 v2.0.41 on Apache until bundled; consider HTTP/2 disablement or WAF header-count limits for IIS and Envoy until patches ship.