Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Nginx security patch release for CVE-2026-49975

Security Patch Release
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

Vendors released fixes for the HTTP/2 Bomb DoS issue, closing a path that could let a single client exhaust server memory within seconds. The patch set covers nginx 1.29.8 and Apache httpd mod_http2 2.0.41, and Apache's fix was assigned CVE-2026-49975. The release reduces exposure for affected HTTP/2 deployments and leaves unpatched platforms dependent on mitigations such as disabling HTTP/2 or enforcing hard header-count limits.

Related Happenings

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

How related: The problem was fixed in nginx version 1.29.8, which added a ‘max_headers’ directive, and on Apache httpd mod_http2 2.0.41, where the issue was assigned the identifier CVE-2026-49975.

About this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...

Open Happening

Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)

Security Patch Release
First: 15.05.2026 18:56 Last: 15.05.2026 18:56 Sources 1

About this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...

Open Happening

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
First: 14.05.2026 18:43 Last: 14.05.2026 18:43 Sources 1

About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...

Open Happening

F5 security patch release for CVE-2026-42945

Security Patch Release
First: 14.05.2026 09:00 Last: 14.05.2026 09:00 Sources 1

About this happening: F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...

Latest development: 17.05.2026 14:57

VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.

Open Happening

CPanel security patch release for CVE-2026-29201

Security Patch Release
First: 09.05.2026 10:16 Last: 09.05.2026 10:16 Sources 1

About this happening: **cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...

Open Happening

Timeline

  1. 03.06.2026 22:08 2 articles · 2h ago

    nginx 1.29.8 and Apache httpd mod_http2 2.0.41 fix HTTP/2 Bomb

    Mitigation Patch Update

    nginx 1.29.8 added the max_headers directive to reduce exposure to HTTP/2 Bomb memory exhaustion, and Apache httpd mod_http2 2.0.41 received the CVE-2026-49975 fix. Unpatched IIS, Envoy, and Pingora deployments still require mitigations such as disabling HTTP/2 where feasible and enforcing hard header-count limits with a proxy or firewall.

    Show sources
    Open in new tab