A remote, unauthenticated denial-of-service vulnerability in Apache HTTP Server's mod_http2 module — tracked as CVE-2026-49975 — combines an HPACK compression bomb with a flow-control stall to exhaust server memory at a 4,000:1 amplification ratio. A single attacker on a 100 Mbps connection can consume 32 GB of server memory in approximately 18 seconds, rendering internet-facing Apache instances inaccessible. Proof-of-concept code is already public. Patch to mod_http2 v2.0.41 immediately.
CVE-2026-49975TA2026164mod_http2mod_http2 v2.0.41CWE-400CVE-2026-49975 represents a direct and immediate threat to the availability of internet-facing Apache HTTP Server deployments with HTTP/2 enabled. The vulnerability, classified under CWE-400 (Uncontrolled Resource Consumption), is not a misconfiguration — it abuses default HTTP/2 protocol behavior, meaning any exposed Apache instance running mod_http2 prior to version v2.0.41 is potentially vulnerable with no additional preconditions.
The most damaging operational outcome is not necessarily an outright server crash. An attacker can deliberately hold memory pressure just below the out-of-memory kill threshold to push the host into swap thrashing, degrading every workload on the machine rather than triggering a clean worker respawn. With proof-of-concept code publicly available since June 2, 2026, the barrier to exploitation is critically low. The resulting outages of public websites, APIs, and gateways carry meaningful service-disruption, reputational, and financial consequences.
The sibling vulnerabilities affecting other HTTP/2 implementations have received separate identifiers: Envoy (CVE-2026-47774) and Microsoft IIS (CVE-2026-49160). Cloudflare reports its existing architecture already mitigates the attack. This advisory covers only the Apache HTTP Server (mod_http2) variant, CVE-2026-49975, disclosed to Apache on May 27, 2026.
| CVE ID | Vulnerability Name | Affected Products | Affected CPE | CWE ID | Zero-Day | CISA KEV | Patch |
|---|---|---|---|---|---|---|---|
CVE-2026-49975 |
HTTP/2 Bomb (Apache HTTP Server Denial-of-Service Vulnerability) | Apache HTTP Server (httpd) with mod_http2 and HTTP/2 enabled, prior to mod_http2 v2.0.41 (e.g., 2.4.67) |
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* |
CWE-400 |
✗ No | ✗ No | ✓ Yes |
The HTTP/2 Bomb attack combining HPACK compression exploitation with a flow-control stall creates a novel and highly efficient memory-exhaustion vector in Apache HTTP Server. The five stages below document the complete attack mechanics of CVE-2026-49975.
WINDOW_UPDATE frames to keep the connection alive and hold all allocated memory in place indefinitely. The flaw affects the default HTTP/2 configuration of most major web servers including nginx, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora.CVE-2026-49975, the Apache HTTP Server (mod_http2) instance of the HTTP/2 Bomb flaw, which was disclosed to Apache on May 27, 2026. Related implementations of the same class of vulnerability received separate CVE identifiers: Envoy received CVE-2026-47774 and Microsoft IIS received CVE-2026-49160. Cloudflare has stated its existing infrastructure architecture already blocks the attack without a patch. Organizations running any of these products should verify the relevant advisory for their specific environment.CVE-2026-49975.LimitRequestFields limit — the exact control designed to stop the original HPACK bomb — creating a complete bypass. The result is approximately 4,000:1 memory amplification even with an empty cookie. In testing against Apache httpd 2.4.67, a single attacker client consumed and held approximately 32 GB of server memory in roughly 18 seconds.CVE-2026-49975. However, working proof-of-concept code became publicly available on June 2, 2026, and the public fix commits in the Apache repository directly reveal the exploit technique. The gap between public disclosure and a deployable weapon is now critically short. The official fix ships in mod_http2 v2.0.41, which enforces that cookie crumbs count against the LimitRequestFields limit, closing the bypass that enables the 4,000:1 amplification.The following prioritized mitigations should be applied to all Apache HTTP Server instances with HTTP/2 enabled. Patching is the only complete remediation for CVE-2026-49975; all other measures are partial stopgaps.
mod_http2 v2.0.41 or later, available from the standalone mod_http2 releases. This version contains the official fix that makes cookie headers count against the LimitRequestFields limit, closing the amplification bypass. Patching is the only complete remediation for CVE-2026-49975 and must be treated as a priority for any Apache HTTP Server terminating HTTP/2 traffic from the internet — especially given that proof-of-concept code is already public.mod_http2 cannot be completed in the short term, mitigate exposure immediately by setting Protocols http/1.1 in the Apache server configuration to disable HTTP/2. This removes the HTTP/2 Bomb attack surface entirely, at the cost of HTTP/2 performance benefits. This measure should be treated strictly as a temporary stopgap until mod_http2 v2.0.41 is deployed.LimitRequestFieldSize reduces the per-stream blast radius by capping the merged cookie size and therefore the usable crumb count. This is a partial mitigation only — an attacker can still multiply the effect across many streams and connections. As a supplemental safety net, cap per-worker memory using cgroups, ulimit -v, or container resource limits tight enough that a bombed worker is OOM-killed and respawned before it drags the host into swap thrashing. Ensure stalled streams have a bounded lifetime regardless of WINDOW_UPDATE activity. Note: lowering LimitRequestFields alone provides no protection on unpatched versions, since duplicate cookie crumbs are not counted against it.The following MITRE ATT&CK tactics, techniques, and sub-techniques are associated with exploitation of CVE-2026-49975 in Apache HTTP Server.
| Tactic | Technique ID | Sub-technique ID | Description |
|---|---|---|---|
| Initial Access | T1190 |
— | Exploit Public-Facing Application — attacker sends crafted HTTP/2 requests to internet-exposed Apache HTTP Server instances with mod_http2 enabled |
| Execution | T1059 |
— | Command and Scripting Interpreter — publicly available proof-of-concept scripts used to send HPACK compression bomb requests with flow-control stalls against vulnerable Apache targets |
| Impact | T1499 |
T1499.003 — Application Exhaustion Flood |
Endpoint Denial of Service — HTTP/2 HPACK compression bomb with cookie crumb amplification exhausts Apache worker memory; 4,000:1 ratio achieved with a single client connection |
| Impact | T1499 |
T1499.001 — OS Exhaustion Flood |
Endpoint Denial of Service — sustained memory pressure via zero-byte flow-control windows and WINDOW_UPDATE drip pushes host into swap thrashing, degrading all system workloads |
