Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
First reported
Last updated
Happening score
H score 14
1 unique sources, 1 articles

Summary

Hide ▲

Calif issued mitigation guidance for NGINX and Apache HTTPD operators after HTTP/2 Bomb was found to enable a remote denial-of-service against default HTTP/2 configurations. The recommended response is to upgrade NGINX to 1.29.8+ or disable HTTP/2, while Apache HTTPD should move to mod_http2 v2.0.41 or fall back to Protocols http/1.1. The guidance is aimed at reducing memory exhaustion and service unavailability on exposed web servers.

Related Happenings

Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw

Vulnerability
First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

How related: Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.

About this happening: Researchers disclosed **HTTP/2 Bomb**, a **remote denial-of-service** vulnerability in **default HTTP/2 configurations** that can make **NGINX, Apache HTTPD, Microsoft IIS, Envoy,...

Open Happening

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Open Happening

NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)

Vulnerability
First: 14.05.2026 09:00 Last: 14.05.2026 09:00 Sources 1

About this happening: **CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...

Open Happening

F5 security patch release for CVE-2026-42945

Security Patch Release
First: 14.05.2026 09:00 Last: 14.05.2026 09:00 Sources 1

About this happening: F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...

Latest development: 17.05.2026 14:57

VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.

Open Happening

Active web traffic hijacking campaign targeting NGINX and Baota panels

Campaign
First: 05.02.2026 06:56 Last: 05.02.2026 06:56 Sources 1

About this happening: An active **web traffic hijacking campaign** is targeting **NGINX** installations and **Baota (BT)** management panels, putting legitimate site traffic at risk of redirection thro...

Open Happening

Timeline

  1. 03.06.2026 11:33 2 articles · 10h ago

    Calif issues HTTP/2 Bomb mitigations for NGINX and Apache HTTPD

    Mitigation Patch Update

    Calif recommends mitigations for HTTP/2 Bomb by upgrading NGINX to 1.29.8+ to add max_headers with a default of 1000, or disabling HTTP/2 with http2 off; if upgrading is not an option. For Apache HTTPD, the guidance is to upgrade mod_http2 to v2.0.41 or set Protocols http/1.1 to disable HTTP/2, while Microsoft IIS, Envoy, and Cloudflare Pingora are listed as having no patch available as of writing.

    Show sources
    Open in new tab