ctipilot.ch

HTTP/2 Bomb — HPACK dynamic-table amplification + Slowloris stream-hold memory-exhaustion DoS vs nginx/Apache/IIS/Envoy/Pingora; nginx 1.29.8 & Apache mod_http2 2.0.41 patched, IIS/Envoy/Pingora unpatched at disclosure

cve · CVE-2026-49975

Coverage timeline
2
first 2026-06-01 → last 2026-06-10
Peak priority
high
1 high · 1 notable
Sources cited
8
7 hosts
Sections touched
2
deep-dive, weekly-vuln-rollup
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
4
pinned v19.1 · see below

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Command and Control TA0011

T1071Application Layer Protocol×1

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-06-04/http-2-bomb-cve-2026-49975-a-single-connection-memory-exhaus · ATT&CK page ↗

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-06-04/http-2-bomb-cve-2026-49975-a-single-connection-memory-exhaus · ATT&CK page ↗

Impact TA0040

T1499Endpoint Denial of Service×1

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.

Evidence: 2026-06-04/http-2-bomb-cve-2026-49975-a-single-connection-memory-exhaus · ATT&CK page ↗

T1499.004Endpoint Denial of Service: Application or System Exploitation×1

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.

Evidence: 2026-06-04/http-2-bomb-cve-2026-49975-a-single-connection-memory-exhaus · ATT&CK page ↗

Story timeline

  1. 2026-06-04HTTP/2 Bomb (CVE-2026-49975): a single-connection memory-exhaustion DoS against every major web server
    deep-dive
  2. 2026-06-01CVE-2026-49975 — HTTP/2 Bomb: HPACK amplification + Slowloris chains to single-connection RAM exhaustion, patch status split by server
    weekly-vuln-rollup

Where this entity is cited

  • weekly-vuln-rollup1
  • deep-dive1

Source distribution

  • attack.mitre.org2 (25%)
  • blog.calif.io1 (12%)
  • openwall.com1 (12%)
  • seclists.org1 (12%)
  • security-hub.ncsc.admin.ch1 (12%)
  • securityweek.com1 (12%)
  • thehackernews.com1 (12%)

explore in graph

Entries about HTTP/2 Bomb — HPACK dynamic-table amplification + Slowloris stream-hold memory-exhaustion DoS vs nginx/Apache/IIS/Envoy/Pingora; nginx 1.29.8 & Apache mod_http2 2.0.41 patched, IIS/Envoy/Pingora unpatched at disclosure (2)

2026-06-04 · view entry permalink →

HTTP/2 Bomb (CVE-2026-49975): a single-connection memory-exhaustion DoS against every major web server

The Codex research team (Calif) published HTTP/2 Bomb, assigned CVE-2026-49975, a remote denial-of-service that takes most major web servers offline from one connection in roughly ten seconds with no authentication and against their default HTTP/2 configuration (Calif/Codex, 2026-06-02). At disclosure the researcher counted 880,000+ public-facing servers with HTTP/2 enabled on affected software — a population that includes a large share of government web portals, citizen-facing services and reverse-proxy front ends.

Mechanics — two old primitives composed into one new amplifier. The attack chains two separately documented HTTP/2 behaviours (Calif/Codex, 2026-06-02). First, HPACK dynamic-table amplification: the attacker seeds the server's header-compression table with one large entry, then references it thousands of times per request using single-byte back-references, forcing the server to reconstruct a large header set in memory for each reference. Second, Slowloris-style stream holding: the attacker keeps every allocated stream open indefinitely with a continuous trickle of WINDOW_UPDATE frames, so the reconstructed memory is never freed. Combined, a single residential connection drove an Envoy instance to exhaust about 32 GB of RAM in ~10 s. The root cause is structural: RFC 7541 §7.3 bounds dynamic-table size via SETTINGS_HEADER_TABLE_SIZE but never caps the number of references per request independently of total size, and per-stream memory lifetime is unbounded while WINDOW_UPDATE activity continues — so no in-spec setting alone closes the gap.

Affected and patched versions (vendor-stated). nginx is fixed in 1.29.8, which introduces a new max_headers directive defaulting to 1000; Apache httpd is fixed in mod_http2 v2.0.41, shipped as a standalone module release and not yet folded into a 2.4.x release at disclosure (oss-security, 2026-06-03). At initial disclosure Microsoft IIS, Envoy and Cloudflare Pingora had no patch; a 3 June update to the disclosure notes Envoy has since shipped a fix (advisory GHSA-22m2-hvr2-xqc8), leaving Microsoft IIS and Cloudflare Pingora unpatched (Calif/Codex, 2026-06-02). The disclosure was deliberately timed after nginx shipped its fix; the researcher released publicly — with mitigations — assessing that the nginx/Apache commit diffs could be turned into a working exploit quickly, so defenders needed the mitigation guidance immediately.

ATT&CK. This is availability impact through a software-flaw resource-exhaustion path — T1499.004 Endpoint Denial of Service: Application or System Exploitation, reached over application-layer protocol abuse (T1071.001).

Hardening / mitigation, by stack. nginx: upgrade to 1.29.8+ (the max_headers cap is the structural fix) or, as a stop-gap, set http2 off;. Apache: apply the mod_http2 v2.0.41 standalone release, or set Protocols http/1.1 as an interim — note that lowering LimitRequestFields is not effective here because the cookie-crumb references never count against it; only LimitRequestFieldSize reduces per-stream blast radius. Envoy: apply its 3 June fix (advisory GHSA-22m2-hvr2-xqc8). Microsoft IIS / Cloudflare Pingora (still no vendor patch): disable HTTP/2 at the edge where feasible, and apply per-worker memory limits (cgroups / ulimit -v) so a bombed worker is OOM-killed before it exhausts the host (oss-security, 2026-06-03).

Hunt and detection concepts. The traffic signature is unusual: a spike in short HTTP/2 requests from a single source IP that drives per-worker memory consumption sharply upward while the connection count stays low relative to the memory pressure — the inverse of a classic volumetric flood (Calif/Codex, 2026-06-02). Watch for streams kept alive by WINDOW_UPDATE frames with no accompanying DATA frames, and instrument per-worker RSS so an anomalous single-connection memory climb pages before the host OOMs. No IOCs are warranted — the indicator is the behaviour, not an address.

The vulnerable behavior exists in each server's default HTTP/2 configuration

Calif/Codex

nginx: Upgrade to 1.29.8+, which adds the max_headers directive with a default of 1000.

oss-security mailing list
vulnerability04 Jun 05:00Zmulti-sourceOpen finding ↗

2026-06-01 · view entry permalink →

CVE-2026-49975 — HTTP/2 Bomb: HPACK amplification + Slowloris chains to single-connection RAM exhaustion, patch status split by server

Disclosed 3 June via oss-security by researcher Calif, who discovered the bug using OpenAI's Codex (Calif/oss-security; deep-dived 2026-06-04 daily; NCSC-CH advisory 12610). The attack combines two HTTP/2 protocol weaknesses: seeding the server's HPACK dynamic header-compression table with a large entry then sending thousands of single-byte back-references forces massive decoded-size reconstruction, while Slowloris-style connection holding prevents memory from being freed. Measured amplification ratios at 32 GB RAM: Envoy ~5,700:1 (exhausted in ~10 s), Apache httpd ~4,000:1, nginx ~70:1. PoC public. Patch status as of 7 June: nginx — fixed in 1.29.8 (http2_max_field_size directive); Apache mod_http2 — fixed in standalone v2.0.41 but not yet bundled into an httpd 2.4.x release, requiring manual installation; Microsoft IIS, Envoy, Cloudflare Pingora — no patch. Researchers estimate over 880,000 public-facing servers exposed. No confirmed in-the-wild exploitation. For defenders: upgrade nginx ≥1.29.8; install standalone mod_http2 v2.0.41 on Apache until bundled; consider HTTP/2 disablement or WAF header-count limits for IIS and Envoy until patches ship.

vulnerability01 Jun 05:00Zmulti-sourceOpen finding ↗