HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
Vulnerability
Summary
Hide ▲
Show ▼
HTTP/2 servers were found vulnerable to the HTTP/2 Bomb DoS weakness, where HPACK compression amplification plus HTTP/2 flow-control stalling lets a single client exhaust memory and knock services offline. The flaw affects default deployments of NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. PoC exploits are already public, and the attack can force servers to fail within seconds. Fixes exist for nginx 1.29.8 and Apache httpd mod_http2 2.0.41, including CVE-2026-49975 for Apache's issue.
Related Happenings
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/Mitigation
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
How related:
The problem was fixed in nginx version 1.29.8, which added a ‘max_headers’ directive, and on Apache httpd mod_http2 2.0.41, where the issue was assigned the identifier CVE-2026-49975.
About this happening:
Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/MitigationHow related: The problem was fixed in nginx version 1.29.8, which added a ‘max_headers’ directive, and on Apache httpd mod_http2 2.0.41, where the issue was assigned the identifier CVE-2026-49975.
About this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation Wave
First: 16.04.2026 01:35
Last: 16.04.2026 01:35
Sources 1
About this happening:
**CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation WaveAbout this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation Wave
First: 02.04.2026 11:25
Last: 02.04.2026 11:25
Sources 1
About this happening:
As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...
F5 BIG-IP APM active exploitation wave (CVE-2025-53521)
Exploitation WaveAbout this happening: As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...
Timeline
-
03.06.2026 22:08 2 articles · 2h ago
HTTP/2 Bomb DoS flaw exposes major web servers to rapid memory exhaustion
Initial DisclosureResearchers disclosed HTTP/2 Bomb, a denial-of-service weakness that combines HPACK compression amplification with HTTP/2 flow-control stalling to exhaust server memory and make vulnerable web servers inaccessible within seconds. The technique was shown against default HTTP/2 configurations in NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora, with tests reporting 32 GB exhaustion on Envoy 1.37.2 in about 10 seconds, 32 GB on Apache httpd 2.4.67 in about 18 seconds, 32 GB on nginx 1.29.7 in about 45 seconds, and 64 GB on IIS in about 45 seconds. Proof-of-concept exploits were already public, nginx 1.29.8 and Apache httpd mod_http2 2.0.41 were fixed, and no patch was available at the time for IIS, Envoy, or Pingora.
Show sources
- New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute — www.bleepingcomputer.com — 03.06.2026 22:08
- New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute — www.bleepingcomputer.com — 03.06.2026 22:08