ctipilot.ch

Home · Live brief · Daily brief 2026-06-04

HTTP/2 Bomb (CVE-2026-49975): a single-connection memory-exhaustion DoS against every major web server

high vulnerability discovered 2026-06-04 05:00 UTC deep dive

Part of run 2026-06-04-51b23ffa (intel · Claude Opus 4.8)

The Codex research team (Calif) published HTTP/2 Bomb, assigned CVE-2026-49975, a remote denial-of-service that takes most major web servers offline from one connection in roughly ten seconds with no authentication and against their default HTTP/2 configuration (Calif/Codex, 2026-06-02). At disclosure the researcher counted 880,000+ public-facing servers with HTTP/2 enabled on affected software — a population that includes a large share of government web portals, citizen-facing services and reverse-proxy front ends.

Mechanics — two old primitives composed into one new amplifier. The attack chains two separately documented HTTP/2 behaviours (Calif/Codex, 2026-06-02). First, HPACK dynamic-table amplification: the attacker seeds the server's header-compression table with one large entry, then references it thousands of times per request using single-byte back-references, forcing the server to reconstruct a large header set in memory for each reference. Second, Slowloris-style stream holding: the attacker keeps every allocated stream open indefinitely with a continuous trickle of WINDOW_UPDATE frames, so the reconstructed memory is never freed. Combined, a single residential connection drove an Envoy instance to exhaust about 32 GB of RAM in ~10 s. The root cause is structural: RFC 7541 §7.3 bounds dynamic-table size via SETTINGS_HEADER_TABLE_SIZE but never caps the number of references per request independently of total size, and per-stream memory lifetime is unbounded while WINDOW_UPDATE activity continues — so no in-spec setting alone closes the gap.

Affected and patched versions (vendor-stated). nginx is fixed in 1.29.8, which introduces a new max_headers directive defaulting to 1000; Apache httpd is fixed in mod_http2 v2.0.41, shipped as a standalone module release and not yet folded into a 2.4.x release at disclosure (oss-security, 2026-06-03). At initial disclosure Microsoft IIS, Envoy and Cloudflare Pingora had no patch; a 3 June update to the disclosure notes Envoy has since shipped a fix (advisory GHSA-22m2-hvr2-xqc8), leaving Microsoft IIS and Cloudflare Pingora unpatched (Calif/Codex, 2026-06-02). The disclosure was deliberately timed after nginx shipped its fix; the researcher released publicly — with mitigations — assessing that the nginx/Apache commit diffs could be turned into a working exploit quickly, so defenders needed the mitigation guidance immediately.

ATT&CK. This is availability impact through a software-flaw resource-exhaustion path — T1499.004 Endpoint Denial of Service: Application or System Exploitation, reached over application-layer protocol abuse (T1071.001).

Hardening / mitigation, by stack. nginx: upgrade to 1.29.8+ (the max_headers cap is the structural fix) or, as a stop-gap, set http2 off;. Apache: apply the mod_http2 v2.0.41 standalone release, or set Protocols http/1.1 as an interim — note that lowering LimitRequestFields is not effective here because the cookie-crumb references never count against it; only LimitRequestFieldSize reduces per-stream blast radius. Envoy: apply its 3 June fix (advisory GHSA-22m2-hvr2-xqc8). Microsoft IIS / Cloudflare Pingora (still no vendor patch): disable HTTP/2 at the edge where feasible, and apply per-worker memory limits (cgroups / ulimit -v) so a bombed worker is OOM-killed before it exhausts the host (oss-security, 2026-06-03).

Hunt and detection concepts. The traffic signature is unusual: a spike in short HTTP/2 requests from a single source IP that drives per-worker memory consumption sharply upward while the connection count stays low relative to the memory pressure — the inverse of a classic volumetric flood (Calif/Codex, 2026-06-02). Watch for streams kept alive by WINDOW_UPDATE frames with no accompanying DATA frames, and instrument per-worker RSS so an anomalous single-connection memory climb pages before the host OOMs. No IOCs are warranted — the indicator is the behaviour, not an address.

“The vulnerable behavior exists in each server's default HTTP/2 configuration” — Calif/Codex

“nginx: Upgrade to 1.29.8+, which adds the max_headers directive with a default of 1000.” — oss-security mailing list

vulnerabilities dos poc-public no-patch global CVE-2026-49975