HTTP/2 Bomb (CVE-2026-49975) drops nginx, Apache, IIS, Envoy
Calif researchers crash 32 GB of Envoy memory in seconds with one connection. nginx 1.29.8 and Apache mod_http2 2.0.41 are patched; IIS, Envoy and Cloudflare Pingora are not.
Calif researchers crash 32 GB of Envoy memory in seconds with one connection. nginx 1.29.8 and Apache mod_http2 2.0.41 are patched; IIS, Envoy and Cloudflare Pingora are not.