Find notable cyber news and cases, enriched with sources, timelines, and signals.

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
First reported
Last updated
Happening score
H score 46
2 unique sources, 2 articles

Summary

Hide ▲

Calif issued mitigation guidance for NGINX and Apache HTTPD operators after HTTP/2 Bomb was found to enable a remote denial-of-service against default HTTP/2 configurations. The recommended response is to upgrade NGINX to 1.29.8+ or disable HTTP/2, while Apache HTTPD should move to mod_http2 v2.0.41 or fall back to Protocols http/1.1. The guidance is aimed at reducing memory exhaustion and service unavailability on exposed web servers.

Related Happenings

NGINX web server critical flaws (multiple vulnerabilities)

Vulnerability
H score38 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: NGINX had two critical web server vulnerabilities, CVE-2026-42530 and CVE-2026-42055, that can let remote unauthenticated attackers trigger remote code execution...

F5 NGINX out-of-band security updates (multiple vulnerabilities)

Security Patch Release
H score34 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: F5 released out-of-band security updates for NGINX after finding multiple web server vulnerabilities, including two critical flaws that could enable remote code...

Nginx security patch release for CVE-2026-49975

Security Patch Release
H score42 First: 03.06.2026 22:08 Last: 03.06.2026 22:08 Sources 1

How related: The problem was fixed in nginx version 1.29.8, which added a ‘max_headers’ directive, and on Apache httpd mod_http2 2.0.41, where the issue was assigned the identifier CVE-2026-49975.

About this happening: Vendors released fixes for the HTTP/2 Bomb DoS issue, closing a path that could let a single client exhaust server memory within seconds. The patch set covers nginx 1.29...

HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)

Vulnerability
H score26 First: 03.06.2026 22:08 Last: 03.06.2026 22:08 Sources 1

How related: A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds.

About this happening: HTTP/2 servers were found vulnerable to the HTTP/2 Bomb DoS weakness, where HPACK compression amplification plus HTTP/2 flow-control stalling lets a single client...

Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw

Vulnerability
H score39 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

How related: Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.

About this happening: Researchers disclosed HTTP/2 Bomb, a remote denial-of-service vulnerability in default HTTP/2 configurations that can make NGINX, Apache HTTPD, Microsoft IIS, Envoy,...

Timeline

  1. 03.06.2026 11:33 3 articles · 1mo ago

    Calif issues HTTP/2 Bomb mitigations for NGINX and Apache HTTPD

    Mitigation Patch Update

    Calif recommends mitigations for HTTP/2 Bomb by upgrading NGINX to 1.29.8+ to add max_headers with a default of 1000, or disabling HTTP/2 with http2 off; if upgrading is not an option. For Apache HTTPD, the guidance is to upgrade mod_http2 to v2.0.41 or set Protocols http/1.1 to disable HTTP/2, while Microsoft IIS, Envoy, and Cloudflare Pingora are listed as having no patch available as of writing.

    Show sources