Nginx security patch release for CVE-2026-49975
Security Patch Release
Summary
Hide ▲
Show ▼
Vendors released fixes for the HTTP/2 Bomb DoS issue, closing a path that could let a single client exhaust server memory within seconds. The patch set covers nginx 1.29.8 and Apache httpd mod_http2 2.0.41, and Apache's fix was assigned CVE-2026-49975. The release reduces exposure for affected HTTP/2 deployments and leaves unpatched platforms dependent on mitigations such as disabling HTTP/2 or enforcing hard header-count limits.
Related Happenings
F5 security patch release for CVE-2026-42530
Security Patch Release
H score39
First: 18.06.2026 20:32
Last: 18.06.2026 20:32
Sources 1
About this happening:
F5 released security updates for NGINX Open Source after finding two critical vulnerabilities that could lead to remote code execution on affected systems. The pat...
F5 security patch release for CVE-2026-42530
Security Patch ReleaseAbout this happening: F5 released security updates for NGINX Open Source after finding two critical vulnerabilities that could lead to remote code execution on affected systems. The pat...
F5 NGINX out-of-band security updates (multiple vulnerabilities)
Security Patch Release
H score34
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
F5 released out-of-band security updates for NGINX after finding multiple web server vulnerabilities, including two critical flaws that could enable remote code...
F5 NGINX out-of-band security updates (multiple vulnerabilities)
Security Patch ReleaseAbout this happening: F5 released out-of-band security updates for NGINX after finding multiple web server vulnerabilities, including two critical flaws that could enable remote code...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/Mitigation
H score46
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
How related:
The problem was fixed in nginx version 1.29.8, which added a ‘max_headers’ directive, and on Apache httpd mod_http2 2.0.41, where the issue was assigned the identifier CVE-2026-49975.
About this happening:
Calif issued mitigation guidance for NGINX and Apache HTTPD operators after HTTP/2 Bomb was found to enable a remote denial-of-service against default HTTP/2 confi...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/MitigationHow related: The problem was fixed in nginx version 1.29.8, which added a ‘max_headers’ directive, and on Apache httpd mod_http2 2.0.41, where the issue was assigned the identifier CVE-2026-49975.
About this happening: Calif issued mitigation guidance for NGINX and Apache HTTPD operators after HTTP/2 Bomb was found to enable a remote denial-of-service against default HTTP/2 confi...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
H score21
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
Avada Builder shipped version 3.15.3 as the full fix for CVE-2026-4782 and CVE-2026-4798, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: Avada Builder shipped version 3.15.3 as the full fix for CVE-2026-4782 and CVE-2026-4798, closing the plugin flaws that could expose files and database data. A pri...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/Mitigation
H score23
First: 14.05.2026 18:43
Last: 14.05.2026 18:43
Sources 1
About this happening:
F5 issued a workaround for vulnerable NGINX rewrite rules, reducing exposure to CVE-2026-42945 for operators who cannot upgrade immediately. The guidance replaces...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/MitigationAbout this happening: F5 issued a workaround for vulnerable NGINX rewrite rules, reducing exposure to CVE-2026-42945 for operators who cannot upgrade immediately. The guidance replaces...
Timeline
-
03.06.2026 22:08 2 articles · 1mo ago
nginx 1.29.8 and Apache httpd mod_http2 2.0.41 fix HTTP/2 Bomb
Mitigation Patch Updatenginx 1.29.8 added the max_headers directive to reduce exposure to HTTP/2 Bomb memory exhaustion, and Apache httpd mod_http2 2.0.41 received the CVE-2026-49975 fix. Unpatched IIS, Envoy, and Pingora deployments still require mitigations such as disabling HTTP/2 where feasible and enforcing hard header-count limits with a proxy or firewall.
Show sources
- New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute — www.bleepingcomputer.com — 03.06.2026 22:08
- New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute — www.bleepingcomputer.com — 03.06.2026 22:08