HTTP/2 Bomb (CVE-2026-49975): How One Connection Crashes nginx, Apache and IIS

A single laptop on a home broadband line can now knock a production web server offline in seconds. That is the practical reality of CVE-2026-49975, nicknamed the HTTP/2 Bomb, a denial-of-service flaw that lets one connection exhaust a server's memory and crash nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. It was publicly disclosed on June 2, 2026, and the Cloud Security Alliance estimated more than 880,000 public-facing websites are exposed. If you run anything that speaks HTTP/2, this is a patch-now item.

The good news: nginx and Apache already have fixes. The catch is that the most common server, IIS, had no patch at disclosure, and Apache's fix had not yet reached the package managers most teams rely on. Here is what the HTTP/2 Bomb is, how it works, who is exposed, and exactly what to do this week.

What is the HTTP/2 Bomb?

The HTTP/2 Bomb is a memory-exhaustion denial-of-service attack against HTTP/2 implementations. The clever part is that it chains two techniques that have each been public for roughly a decade. Neither is a bug on its own, but combined they let an attacker amplify a trickle of traffic into gigabytes of server-side memory allocation from a single TCP connection.

Apache assigned the attack chain the identifier CVE-2026-49975. The root cause is a gap between two limits most servers treat as the same thing: the maximum decoded header size and the maximum header count. Most implementations enforced a cap on total header bytes but never capped how many individual header fields a single request could reference, and that omission is what the attack abuses.

How the attack works

The exploit stitches together a compression bomb and a connection stall:

• HPACK indexed-reference bomb. HTTP/2 compresses headers with HPACK, which keeps a dynamic table of previously seen headers so they can be referenced by a one-byte index. An attacker seeds the table with one large header, then sends thousands of single-byte references to it. Each tiny reference forces the server to allocate the full decoded header, 70 to 4,000 bytes per reference depending on the implementation.
• HTTP/2 window stall. The client advertises a zero-byte flow-control window so the response can never finish, then sends periodic window updates to reset idle timeouts. This pins the allocated memory open indefinitely instead of letting the server reclaim it.

The result is a slow-motion Slowloris with an amplification multiplier bolted on. The server keeps allocating, never frees, and falls over.

Which servers are affected

The amplification ratio, meaning how many bytes of server memory each attacker byte buys, varies wildly by implementation. The figures below come from the researcher's published testing; treat them as directional rather than guarantees for your specific build and config.

Server	Amplification	Time to exhaust ~32 GB	Patch status (June 2026)
Envoy 1.37.2	~5,700:1	~10 seconds	Patched June 3, 2026
Apache httpd 2.4.67	~4,000:1	~18 seconds	Fixed in mod_http2 2.0.41+ (May 27)
nginx 1.29.7	~70:1	~45 seconds	Patched in 1.29.8
Microsoft IIS	~68:1	~45 seconds	No patch at disclosure

A couple of takeaways. First, even the "low" ratios are catastrophic: 70:1 still means a home connection saturates server RAM in under a minute. Second, nginx was disclosed in April 2026 and patched the next day by adding a max_headers directive (defaulting to 1,000), while Apache shipped its fix on May 27 by making cookie headers count against LimitRequestFields. IIS, Envoy, and Cloudflare Pingora were confirmed vulnerable, and IIS in particular had no fix available the day the details went public.

An AI found this one, and that matters

The HTTP/2 Bomb did not come out of a traditional fuzzing run. According to the disclosure, an AI coding agent, Codex, surfaced the chain by reading public server code and recognizing that two well-documented, individually-harmless techniques could be combined into something dangerous. As the researcher put it, "both halves have been public for a decade" — the novelty was the connection, not the components.

That is the part defenders should sit with. The slow, painstaking work of noticing that limit A and limit B interact badly is exactly the kind of pattern-matching large models are now good at, and the discoverer presented the finding at Stanford's Real World AI Security conference. We have written before about AI agents introducing new security exposure; the HTTP/2 Bomb is the other side of that coin: AI as the thing finding decade-old flaws faster than humans audited them. Expect more recombination-style vulnerabilities to land this year, and expect the window between disclosure and public proof-of-concept to keep shrinking. A working PoC for this one was on GitHub within days.

What to do this week

You do not need to wait for a vendor advisory to act. A short triage:

1. Inventory your HTTP/2 surface. Anything terminating HTTP/2 counts: origin servers, reverse proxies, ingress controllers, and load balancers. Container images pinned to old base versions are the usual blind spot.
2. Patch what has a fix. Move nginx to 1.29.8 or later and Apache to mod_http2 2.0.41 or later. Note that Apache's fix may not yet be in your distribution's apt/yum repos, so you may need the standalone module rather than waiting on the package.
3. Mitigate what does not. For IIS or anything unpatched, the blunt option is to disable HTTP/2 (http2 off; in nginx, Protocols http/1.1 in Apache) and fall back to HTTP/1.1 until a fix lands. Performance takes a small hit; an outage is worse.
4. Cap headers and memory independently. Enforce a hard maximum header count, not just total size, and bound per-worker memory with cgroups or container limits so one connection cannot starve the host.
5. Lean on the edge. WAF and CDN vendors moved fast: HAProxy, Imperva, and Fortinet published rules within days. If you front your origin with a managed edge, a virtual patch there buys time while you fix the origin itself. This is one more argument for the layered, identity-and-edge posture we covered in our zero-trust migration guide.

FAQ

Is the HTTP/2 Bomb being exploited in the wild? As of late June 2026, the public record describes mass exposure (880,000+ public-facing websites) and a working proof-of-concept on GitHub, but the primary risk is opportunistic DoS rather than data theft. Treat the PoC's existence as the trigger to patch; exploitation is trivial once code is public.

Does disabling HTTP/2 actually fix it? Yes, as a stopgap. The flaw lives in HTTP/2's HPACK and flow-control mechanics, so falling back to HTTP/1.1 removes the attack surface entirely. You lose multiplexing performance, which is a reasonable trade for an unpatched server.

Is Cloudflare's Pingora affected? It was listed among the confirmed-vulnerable implementations at disclosure. Cloudflare-fronted sites benefit from edge-level mitigations, but if you run Pingora yourself, apply the vendor's guidance directly.

My site is behind a CDN, am I safe? Mostly, if the CDN terminates HTTP/2 and has deployed mitigations. But your origin can still be hit directly if its IP is exposed, so patch the origin and lock it to only accept connections from your edge.

Sources

• oss-sec mailing list: HTTP/2 Bomb affects Apache httpd, nginx, envoy & pingora: original public disclosure and affected-software list.
• Calif: Codex Discovered a Hidden HTTP/2 Bomb: discoverer's technical writeup, amplification ratios, and timeline.
• Cloud Security Alliance: research note on the AI-discovered DoS: exposure scan and impact analysis.
• Red Hat: CVE-2026-49975: CVE tracking and affected-package status.
• HAProxy: protecting against CVE-2026-49975: edge mitigation guidance.