- apache
- http2
- dos
- cve
- hpack
news
Apache HTTP/2 Bomb DoS (CVE-2026-49975)
Single-connection HPACK bomb plus flow-control stall can exhaust gigabytes of RAM; public PoC indexed on Sploitus.
Summary
CVE-2026-49975 (also tracked as QVD-2026-30962) is an HTTP/2 protocol-layer denial-of-service combining an HPACK indexed-reference bomb with flow-control window stalling. A single TLS connection can trigger massive server-side memory allocation — reported amplification ratios around ~4,000:1 on Apache httpd and ~5,700:1 on Envoy — without authentication. A full reproduction guide and Python PoC are indexed on Sploitus.
Research credit: Quang Luong (Calif). OFFSITE.DARK references Sploitus as the index source, not as exploit publisher.
Technical Details
Stage 1 — HPACK bomb
HPACK (RFC 7541) stores headers in a dynamic table; senders reference prior entries with 1-byte indices. Classic HPACK bombs stuffed large values and hit "maximum decoded size" limits. This variant inserts almost-empty headers into the dynamic table, then repeatedly references them:
- Each reference triggers per-entry bookkeeping allocation (~70–5,700 bytes depending on server)
- Decoded-size limits never trigger because there is almost nothing to decode
Stage 2 — Window stall
Attacker sets SETTINGS_INITIAL_WINDOW_SIZE=0, pinning server memory, then sends periodic 1-byte WINDOW_UPDATE frames to reset timeout timers and hold allocations indefinitely.
| Server | Amplification | Demo (reported) | Fix |
|---|---|---|---|
| Apache httpd 2.4.67 + mod_http2 | ~4,000:1 | ~32 GB in ~18 s | mod_http2 v2.0.41 |
| Envoy 1.37.2 | ~5,700:1 | ~32 GB in ~10 s | Check vendor |
| nginx (bookkeeping) | ~70:1 per ref | varies | 1.29.8+ (max_headers) |
Indexed PoC usage:
python3 exploit.py target.com 443 --threads 50 --streams 30 --headers 16374 --hold 60
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-49975 |
| CVSS | 7.5 (High) / some advisories cite 9.8 for worst-case |
| CWE | CWE-400 — Uncontrolled Resource Consumption |
| Component | Apache mod_http2, HTTP/2 stacks generally |
| Sploitus date | 2026-06-13 |
Impact
Availability only — no confidentiality or integrity impact. A single connection (or modest parallel connections) can exhaust worker memory, causing slow responses, connection refusal, and OOM kills on reverse proxies and origin servers with HTTP/2 enabled. High-traffic sites with HTTP/2 on by default are primary targets.
Mitigation
- Apache: upgrade mod_http2 to v2.0.41+; Cookie headers counted in
LimitRequestFieldsper vendor fix. - nginx: upgrade to 1.29.8+ and enforce
max_headers(default 1000). - Temporary: disable HTTP/2 and fall back to HTTP/1.1 at the load balancer until patched.
- Rate-limit concurrent HTTP/2 connections and header table growth at CDN/WAF layers where supported.
- Monitor worker RSS spikes and hung HTTP/2 streams during incident response.