NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Calif issued mitigation guidance for NGINX and Apache HTTPD operators after HTTP/2 Bomb was found to enable a remote denial-of-service against default HTTP/2 configurations. The recommended response is to upgrade NGINX to 1.29.8+ or disable HTTP/2, while Apache HTTPD should move to mod_http2 v2.0.41 or fall back to Protocols http/1.1. The guidance is aimed at reducing memory exhaustion and service unavailability on exposed web servers.
Related Happenings
NGINX web server critical flaws (multiple vulnerabilities)
Vulnerability
H score38
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
NGINX had two critical web server vulnerabilities, CVE-2026-42530 and CVE-2026-42055, that can let remote unauthenticated attackers trigger remote code execution...
NGINX web server critical flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: NGINX had two critical web server vulnerabilities, CVE-2026-42530 and CVE-2026-42055, that can let remote unauthenticated attackers trigger remote code execution...
F5 NGINX out-of-band security updates (multiple vulnerabilities)
Security Patch Release
H score34
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
F5 released out-of-band security updates for NGINX after finding multiple web server vulnerabilities, including two critical flaws that could enable remote code...
F5 NGINX out-of-band security updates (multiple vulnerabilities)
Security Patch ReleaseAbout this happening: F5 released out-of-band security updates for NGINX after finding multiple web server vulnerabilities, including two critical flaws that could enable remote code...
Nginx security patch release for CVE-2026-49975
Security Patch Release
H score42
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
How related:
The problem was fixed in nginx version 1.29.8, which added a ‘max_headers’ directive, and on Apache httpd mod_http2 2.0.41, where the issue was assigned the identifier CVE-2026-49975.
About this happening:
Vendors released fixes for the HTTP/2 Bomb DoS issue, closing a path that could let a single client exhaust server memory within seconds. The patch set covers nginx 1.29...
Nginx security patch release for CVE-2026-49975
Security Patch ReleaseHow related: The problem was fixed in nginx version 1.29.8, which added a ‘max_headers’ directive, and on Apache httpd mod_http2 2.0.41, where the issue was assigned the identifier CVE-2026-49975.
About this happening: Vendors released fixes for the HTTP/2 Bomb DoS issue, closing a path that could let a single client exhaust server memory within seconds. The patch set covers nginx 1.29...
HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
Vulnerability
H score26
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
How related:
A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds.
About this happening:
HTTP/2 servers were found vulnerable to the HTTP/2 Bomb DoS weakness, where HPACK compression amplification plus HTTP/2 flow-control stalling lets a single client...
HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
VulnerabilityHow related: A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds.
About this happening: HTTP/2 servers were found vulnerable to the HTTP/2 Bomb DoS weakness, where HPACK compression amplification plus HTTP/2 flow-control stalling lets a single client...
Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw
Vulnerability
H score39
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
How related:
Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.
About this happening:
Researchers disclosed HTTP/2 Bomb, a remote denial-of-service vulnerability in default HTTP/2 configurations that can make NGINX, Apache HTTPD, Microsoft IIS, Envoy,...
Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw
VulnerabilityHow related: Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.
About this happening: Researchers disclosed HTTP/2 Bomb, a remote denial-of-service vulnerability in default HTTP/2 configurations that can make NGINX, Apache HTTPD, Microsoft IIS, Envoy,...
Timeline
-
03.06.2026 11:33 3 articles · 1mo ago
Calif issues HTTP/2 Bomb mitigations for NGINX and Apache HTTPD
Mitigation Patch UpdateCalif recommends mitigations for HTTP/2 Bomb by upgrading NGINX to 1.29.8+ to add max_headers with a default of 1000, or disabling HTTP/2 with http2 off; if upgrading is not an option. For Apache HTTPD, the guidance is to upgrade mod_http2 to v2.0.41 or set Protocols http/1.1 to disable HTTP/2, while Microsoft IIS, Envoy, and Cloudflare Pingora are listed as having no patch available as of writing.
Show sources
- New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare — thehackernews.com — 03.06.2026 11:33
- New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare — thehackernews.com — 03.06.2026 11:33
- New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute — www.bleepingcomputer.com — 03.06.2026 22:08