Critical "HTTP/2 Bomb" Vulnerability in Apache HTTP Server Exploited in Proof-of-Concept Attack
A proof-of-concept (PoC) exploit has been released for a severe Denial of Service (DoS) vulnerability in Apache HTTP Server, identified as CVE-2026-49975 and dubbed the "HTTP/2 Bomb." The flaw enables unauthenticated remote attackers to exhaust server memory and disrupt services, posing a major risk to unpatched Apache deployments.
The vulnerability resides in Apache’s HTTP/2 request-handling mechanism, where multiple cookie header fields are merged without proper enforcement of the LimitRequestFields directive. Attackers can craft a small, HPACK-encoded HTTP/2 request that decompresses into an excessive number of cookie headers, forcing the server to allocate memory repeatedly. By leveraging HTTP/2 flow control setting the initial window size to zero attackers stall response transmission, keeping streams open indefinitely and preventing memory release. This creates a sustained memory exhaustion condition, leading to service disruption.
All Apache HTTP Server versions from 2.4.17 through 2.4.67 are affected. The issue has been patched in version 2.4.68 and later.
The PoC exploit, published on GitHub (EQSTLab/CVE-2026-49975), demonstrates the attack using a Python-based script in a Dockerized environment with an 8 GB memory limit. Key attack parameters include:
- Connections and streams (e.g., 10 connections × 100 streams)
- HPACK references (up to 4,091 header table references to maximize expansion)
- Flow control hold (initial window set to 0, stalling transmission for up to 300 seconds)
- Drip-feeding (releasing 1 byte every 2 seconds to keep streams active)
During testing, memory usage in the Apache container surged and remained elevated, confirming successful exploitation. A successful attack results in remote DoS, excessive memory consumption, and degraded or failed service for legitimate users, all without requiring privileged access.
Organizations are advised to upgrade to Apache HTTP Server 2.4.68 or later or disable HTTP/2 temporarily if patching is not immediately feasible. Monitoring for anomalous memory growth in web server processes can serve as an early detection measure.
Source: https://cybersecuritynews.com/http-2-bomb-dos-apache/
Apache Software Foundation TPRM report: https://www.rankiteo.com/company/the-apache-software-foundation
"id": "the1781778235",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations using Apache HTTP '
'Server versions 2.4.17 through '
'2.4.67',
'industry': 'Technology/Software',
'name': 'Apache Software Foundation',
'type': 'Software Vendor'}],
'attack_vector': 'Remote, unauthenticated HTTP/2 request',
'description': 'A proof-of-concept (PoC) exploit has been released for a '
'severe Denial of Service (DoS) vulnerability in Apache HTTP '
"Server, identified as CVE-2026-49975 and dubbed the 'HTTP/2 "
"Bomb.' The flaw enables unauthenticated remote attackers to "
'exhaust server memory and disrupt services, posing a major '
'risk to unpatched Apache deployments. The vulnerability '
'resides in Apache’s HTTP/2 request-handling mechanism, where '
'multiple cookie header fields are merged without proper '
'enforcement of the LimitRequestFields directive. Attackers '
'can craft a small, HPACK-encoded HTTP/2 request that '
'decompresses into an excessive number of cookie headers, '
'forcing the server to allocate memory repeatedly. By '
'leveraging HTTP/2 flow control, attackers stall response '
'transmission, keeping streams open indefinitely and '
'preventing memory release, leading to sustained memory '
'exhaustion and service disruption.',
'impact': {'downtime': 'Service disruption, degraded or failed service for '
'legitimate users',
'operational_impact': 'Excessive memory consumption, remote DoS',
'systems_affected': 'Apache HTTP Server (versions 2.4.17 through '
'2.4.67)'},
'post_incident_analysis': {'corrective_actions': 'Patch to Apache HTTP Server '
'2.4.68 or later, disable '
'HTTP/2 if necessary, and '
'implement monitoring for '
'memory anomalies.',
'root_causes': 'Improper enforcement of '
'LimitRequestFields directive in '
'HTTP/2 request-handling mechanism, '
'allowing HPACK-encoded requests to '
'decompress into excessive cookie '
'headers and exhaust memory.'},
'recommendations': 'Upgrade to Apache HTTP Server 2.4.68 or later, disable '
'HTTP/2 if patching is not immediately feasible, and '
'monitor for anomalous memory growth in web server '
'processes.',
'references': [{'source': 'GitHub (EQSTLab/CVE-2026-49975)',
'url': 'https://github.com/EQSTLab/CVE-2026-49975'}],
'response': {'containment_measures': 'Upgrade to Apache HTTP Server 2.4.68 or '
'later, or disable HTTP/2 temporarily',
'enhanced_monitoring': 'Monitor for anomalous memory growth in '
'web server processes',
'remediation_measures': 'Patch to version 2.4.68 or later'},
'title': "Critical 'HTTP/2 Bomb' Vulnerability in Apache HTTP Server "
'Exploited in Proof-of-Concept Attack',
'type': 'Denial of Service (DoS)',
'vulnerability_exploited': 'CVE-2026-49975 (HTTP/2 Bomb)'}