Follow 
A newly disclosed denial-of-service vulnerability, tracked as CVE-2026-49975, shows how long-known HTTP/2 weaknesses can still be chained into a highly effective modern attack. SecurityWeek reports that researchers at Calif demonstrated an HTTP/2 Bomb exploit capable of knocking major web servers offline within seconds by combining a compression bomb with a Slowloris-style hold that prevents the server from releasing memory.
According to the report, the attack can potentially impact more than 880,000 websites that support HTTP/2 and run default configurations of NGINX, Apache HTTP(Web) Server, Microsoft IIS, Envoy, or Cloudflare Pingora. Calif also said the attack can be launched from a home computer on a 100 Mbps connection and still render affected servers unavailable in seconds.
CVE-2026-49975 analysis
SecurityWeek explains that the attack is not built on a single new flaw, but on a chain of known denial-of-service techniques. The first stage relies on HPACK Bomb, tracked as CVE-2016-6581, which abuses HTTP/2 header compression so that very small messages expand into extremely large memory-consuming structures on the destination server. The article notes that this technique was demonstrated against Apache HTTPD last year with a 4,000x amplification rate, and Apache addressed that issue in version 2.4.64 as CVE-2025-53020.
The second stage abuses CVE-2016-8740 and CVE-2016-1546, two HTTP/2 Slowloris-style issues tied to continuation frames and manipulated flow-control windows. As described by SecurityWeek, attackers can advertise a zero-byte flow-control window, preventing the server from sending a response, and then reset the send timeout so memory allocations remain pinned instead of being freed.
What makes this variant notable is that, according to Calif’s explanation quoted by SecurityWeek, the amplification does not come from a large decoded header value. Instead, it comes from the per-entry bookkeeping the server allocates around nearly empty headers, meaning traditional decoded-size limits may not stop the attack because there is “almost nothing to decode.” The report also says Calif found a bypass for servers that cap the header-field count and released proof-of-concept code to demonstrate the attack.
CVE-2026-49975 Mitigation
SecurityWeek reports that NGINX resolved the bug in April, while Apache rolled out fixes in late May and assigned CVE-2026-49975. At the time of reporting, Microsoft IIS, Envoy, and Cloudflare Pingora had not yet been patched.
From a practical defense standpoint, the clearest short-term priority is to identify internet-facing systems using default HTTP/2 configurations and verify whether they are running patched software. Since the article does not publish specific IOCs or deep detection telemetry, the most realistic approach is to focus on exposed HTTP/2 services, rapid memory spikes, and sudden service instability consistent with memory exhaustion. That last point is a defensive inference based on the attack behavior described in the SecurityWeek report.
FAQ
What is CVE-2026-49975 and how does it work?
CVE-2026-49975 is the Apache-assigned identifier for a denial-of-service attack chain that combines an HPACK-based compression bomb with an HTTP/2 Slowloris-style hold. The result is rapid memory exhaustion that can make vulnerable servers unavailable within seconds.
When was CVE-2026-49975 first discovered?
The SecurityWeek article does not provide a private discovery date. It does say the exploit was dubbed HTTP/2 Bomb, was discovered using OpenAI’s Codex, and that NGINX fixed the issue in April while Apache released fixes in late May.
What is the impact of CVE-2026-49975 on systems?
The main impact is denial of service. SecurityWeek says the exploit can exhaust server memory and knock major web servers offline in seconds, even when launched from a relatively modest home internet connection.
Can CVE-2026-49975 still affect me in 2026?
Yes. Systems can still be exposed in 2026 if they run vulnerable default HTTP/2 configurations, especially on products that had not yet been patched at the time of the report, including Microsoft IIS, Envoy, and Cloudflare Pingora.
How can I protect myself from CVE-2026-49975?
Apply available vendor fixes, review whether your web stack uses default HTTP/2 settings, and prioritize internet-facing servers for verification. Based on the attack behavior described in SecurityWeek, monitoring for abnormal memory consumption and abrupt service degradation is also a sensible interim defensive step.
