Skip to content
hacker_posts

HTTP/2 Bomb (CVE-2026-49975) drops nginx, Apache, IIS, Envoy

Calif researchers crash 32 GB of Envoy memory in seconds with one connection. nginx 1.29.8 and Apache mod_http2 2.0.41 are patched; IIS, Envoy and Cloudflare Pingora are not.

Published 4 min read
cveapachenginxdoshttp2

A new remote denial-of-service technique against HTTP/2 servers, dubbed HTTP/2 Bomb, was published on 2 June 2026 by the discovery team at security firm Calif, with the Apache variant assigned CVE-2026-49975. One TCP connection from a residential link is enough to consume tens of gigabytes of server memory in under a minute. Affected stacks include nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. The discoverer's full write-up is at blog.calif.io; Stefan Eissing's coordinated disclosure to Apache is on oss-security. Secondary coverage by SecurityWeek, The Hacker News, and the French outlet Korben corroborates the impact.

What the bug does

HTTP/2 Bomb chains two known primitives that were each individually considered benign:

  1. HPACK header-table amplification. A single seed header insert causes the server to allocate large per-entry bookkeeping. Subsequent requests reference that one entry, so a few bytes on the wire map to a large heap allocation server-side. Per-request decoded-size limits never trigger because almost nothing is actually decoded.
  2. Zero-window flow-control hold. The client advertises a 0-byte HTTP/2 flow-control window for the response stream, so the server cannot send and cannot free the memory it has reserved.

The combined ratio is brutal: Calif measured 5,700:1 amplification against Envoy, with 32 GB of server memory consumed in roughly 10 seconds. Apache crashed in under 20 seconds; nginx and IIS in under a minute. Calif's Shodan census put the publicly reachable, vulnerable surface at over 880,000 servers.

Affected versions

  • Apache httpd: mod_http2 versions prior to 2.0.41 (the bug ships in the multiplexer's cookie-fragment accounting against LimitRequestFields). Disclosed privately to Apache on 27 May 2026; Stefan Eissing committed the fix the same day at apache/httpd@47d3100. At the time of public disclosure the fix had not yet rolled into a tagged 2.4.x release.
  • nginx: all versions prior to 1.29.8. The fix adds a new max_headers directive, defaulting to 1000.
  • Microsoft IIS, Envoy, Cloudflare Pingora: no patch at the time of public disclosure. Maintainers were notified per Calif's writeup.

Reproducible verification

Calif published the PoC and analysis under califio/publications/MADBugs/http2-bomb. The vulnerable header pattern is HPACK literal-with-incremental-indexing followed by indexed references over a zero-window stream — straightforward to reproduce against a default Apache 2.4.66 + mod_http2 install.

A coarse Shodan filter for Apache HTTP/2-enabled servers is:

product:"Apache httpd" "alpn"

This does not on its own confirm vulnerability — the bug requires mod_http2 enabled under a multi-threaded MPM (worker, event). Single-threaded MPM prefork is not affected.

Action checklist

  1. nginx: upgrade to 1.29.8 today. The new ceiling (max_headers 1000;) is on by default; if you tuned large_client_header_buffers upward, re-evaluate.
  2. Apache httpd: deploy mod_http2 v2.0.41 from the standalone module release. If you are pinned to the distribution package and have no mod_http2 upgrade path, disable HTTP/2 for now — either remove the Protocols h2 h2c directive or switch the MPM to prefork, which is not vulnerable.
  3. IIS, Envoy, Pingora: no fix as of this post. The pragmatic mitigations are (a) disable HTTP/2 at the edge, (b) front the service with a patched nginx or Apache, or (c) enforce a strict per-connection header-count cap at your WAF or L7 proxy.
  4. Lower the connection-memory ceiling. Whatever your server, set a hard per-connection memory cap (cgroups v2 memory.max on the worker process tree, or ulimit -v) so that one abusive flow cannot drag the host into OOM.
  5. Re-baseline alerting. A 32-GB blip from a single peer in 10 seconds is the signature. If your RUM and APM dashboards do not surface "single-source memory anomaly" as a class, this is the week to add it.

Context

HTTP/2 Bomb is the third memory-side DoS class against the protocol in three years. HTTP/2 Rapid Reset (CVE-2023-44487) used RST_STREAM frame floods to exhaust per-stream state; the Continuation flood of 2024 exhausted the same surface via unterminated CONTINUATION frames. Calif's twist is the use of HPACK's own bookkeeping as the amplifier, with flow control turned into a hold instead of an accelerator. The pattern is now recognisable enough that any HTTP/2 stack should have a single, enforced ceiling on total per-connection state, applied before any per-frame check. Stacks that do not — IIS, Envoy, Pingora — get to relearn this each cycle.

The Calif disclosure is also notable for crediting an LLM agent ("Codex") with the initial bug discovery. The pattern matched by the model — amplification + hold — is the same shape humans found in Rapid Reset; the novelty is that the chain across HPACK and flow control was found in about an hour of agent runtime. Expect more of this. Defenders' bar moves up accordingly.

Related stories