Find notable cyber news and cases, enriched with sources, timelines, and signals.

Nginx security patch release for CVE-2026-49975

Security Patch Release
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

Vendors released fixes for the HTTP/2 Bomb DoS issue, closing a path that could let a single client exhaust server memory within seconds. The patch set covers nginx 1.29.8 and Apache httpd mod_http2 2.0.41, and Apache's fix was assigned CVE-2026-49975. The release reduces exposure for affected HTTP/2 deployments and leaves unpatched platforms dependent on mitigations such as disabling HTTP/2 or enforcing hard header-count limits.

Related Happenings

F5 security patch release for CVE-2026-42530

Security Patch Release
H score39 First: 18.06.2026 20:32 Last: 18.06.2026 20:32 Sources 1

About this happening: F5 released security updates for NGINX Open Source after finding two critical vulnerabilities that could lead to remote code execution on affected systems. The pat...

F5 NGINX out-of-band security updates (multiple vulnerabilities)

Security Patch Release
H score34 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: F5 released out-of-band security updates for NGINX after finding multiple web server vulnerabilities, including two critical flaws that could enable remote code...

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
H score46 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

How related: The problem was fixed in nginx version 1.29.8, which added a ‘max_headers’ directive, and on Apache httpd mod_http2 2.0.41, where the issue was assigned the identifier CVE-2026-49975.

About this happening: Calif issued mitigation guidance for NGINX and Apache HTTPD operators after HTTP/2 Bomb was found to enable a remote denial-of-service against default HTTP/2 confi...

Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)

Security Patch Release
H score21 First: 15.05.2026 18:56 Last: 15.05.2026 18:56 Sources 1

About this happening: Avada Builder shipped version 3.15.3 as the full fix for CVE-2026-4782 and CVE-2026-4798, closing the plugin flaws that could expose files and database data. A pri...

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
H score23 First: 14.05.2026 18:43 Last: 14.05.2026 18:43 Sources 1

About this happening: F5 issued a workaround for vulnerable NGINX rewrite rules, reducing exposure to CVE-2026-42945 for operators who cannot upgrade immediately. The guidance replaces...

Timeline

  1. 03.06.2026 22:08 2 articles · 1mo ago

    nginx 1.29.8 and Apache httpd mod_http2 2.0.41 fix HTTP/2 Bomb

    Mitigation Patch Update

    nginx 1.29.8 added the max_headers directive to reduce exposure to HTTP/2 Bomb memory exhaustion, and Apache httpd mod_http2 2.0.41 received the CVE-2026-49975 fix. Unpatched IIS, Envoy, and Pingora deployments still require mitigations such as disabling HTTP/2 where feasible and enforcing hard header-count limits with a proxy or firewall.

    Show sources