Full Report
A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds. [...]
Analysis Summary
# Vulnerability: HTTP/2 Bomb (Resource Exhaustion DoS)
## CVE Details
- **CVE ID:** CVE-2026-49975 (Specific to Apache httpd mod_http2)
- **CVSS Score:** Not yet finalized (Estimated High/Critical for Availability)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption), CWE-770 (Allocation of Resources Without Limits or Throttling)
## Affected Systems
- **Products:**
- Apache HTTP Server (mod_http2)
- NGINX
- Microsoft IIS (Windows Server 2025)
- Envoy Proxy
- Cloudflare Pingora
- **Versions:**
- Apache httpd prior to mod_http2 2.0.41
- NGINX prior to version 1.29.8
- Envoy 1.37.2 (and likely earlier)
- Microsoft IIS on Windows Server 2025 (current versions at time of report)
- **Configurations:** Default HTTP/2 configurations that allow HPACK dynamic table updates and standard flow-control management.
## Vulnerability Description
The "HTTP/2 Bomb" is a denial-of-service attack that combines **HPACK compression amplification** with **HTTP/2 flow-control stalling**.
1. **Amplification:** The attacker inserts a small header into the HPACK dynamic table and references it repeatedly within a request. Because the server must allocate memory for per-header bookkeeping, a 1-byte indexed representation can trigger thousands of bytes in server-side allocation (up to 5,700:1 ratio).
2. **Persistence:** The attacker advertises a zero-byte flow-control window. This prevents the server from sending a response and completing the request cycle. By sending periodic tiny `WINDOW_UPDATE` frames, the attacker keeps the connection alive, forcing the server to hold the massively amplified memory allocation indefinitely.
## Exploitation
- **Status:** PoC available (Published by Calif researchers).
- **Complexity:** Low (Can be executed from a single machine with a standard 100 Mbps connection).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Server crash or total unresponsiveness due to RAM exhaustion).
## Remediation
### Patches
- **NGINX:** Upgrade to version **1.29.8** (introduces the `max_headers` directive).
- **Apache HTTP Server:** Upgrade to `mod_http2` version **2.0.41**.
- **Envoy/IIS/Pingora:** No official patches were available at the time of the report; users should monitor vendor security advisories.
### Workarounds
- **Disable HTTP/2:** If not business-critical, disabling HTTP/2 prevents the attack.
- **Upstream Protection:** Place the server behind a Content Delivery Network (CDN), Web Application Firewall (WAF), or a reverse proxy that enforces strict header-count limits.
- **Resource Limiting:** Implement hard limits on the number of headers allowed per request at the infrastructure level.
## Detection
- **Indicators of Compromise:**
- Rapid, unexplained spikes in server RAM usage (e.g., 32GB+ exhausted in under 60 seconds).
- Large numbers of long-lived HTTP/2 connections with zero-byte flow-control windows.
- Out-of-memory (OOM) errors in server logs.
- **Detection methods and tools:** Monitoring for "Slowloris-style" HTTP/2 behavior specifically targeting the HPACK table management.
## References
- **Calif Blog:** hxxps://blog[.]calif[.]io/p/codex-discovered-a-hidden-http2-bomb
- **PoC Repository:** hxxp://github[.]com/califio/publications/tree/main/MADBugs/http2-bomb
- **BleepingComputer:** hxxps://www[.]bleepingcomputer[.]com/news/security/new-http-2-bomb-dos-attack-crashes-web-servers-in-under-a-minute/