HTTP/2 Bomb DoS Flaw Exposes Apache and Major Web Servers to Memory Exhaustion
A newly disclosed denial-of-service vulnerability dubbed HTTP/2 Bomb (CVE-2026-49975) can let unauthenticated attackers crash vulnerable servers by abusing HTTP/2 header compression and flow-control behavior to amplify small requests into large in-memory allocations. Researchers said the flaw affects widely deployed infrastructure including nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora, with early Internet scans identifying more than 880,000 potentially exposed websites. Security firms reported reconnaissance activity in the wild, and sectors with large numbers of Internet-facing systems—especially telecommunications, IT, and healthcare—were flagged as particularly exposed.
A public proof-of-concept is now available for Apache HTTP Server, where affected versions 2.4.17 through 2.4.67 can be forced into sustained memory exhaustion through crafted HTTP/2 cookie headers and a zero-window flow-control technique that prevents resources from being released. Apache fixed the issue in 2.4.68, while other vendors have rolled out patches or mitigations on uneven timelines, including earlier fixes from nginx and Apache, a next-day patch from Envoy, a later mitigation from Microsoft, and no patch yet reported for Cloudflare at the time of coverage. Defenders are being urged to upgrade immediately, consider temporarily disabling HTTP/2 where feasible, and watch for abnormal memory growth and other signs of attempted DoS activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
EQSTLab publishes public PoC exploit for Apache HTTP Server
Cyber Security News reports that EQSTLab publicly released a Python proof-of-concept exploit on GitHub for Apache HTTP Server versions 2.4.17 through 2.4.67, demonstrating sustained memory exhaustion in a Dockerized test environment.
Researchers and vendors observe reconnaissance activity
Researchers and vendors observed reconnaissance activity in the wild targeting the HTTP/2 Bomb issue, although Radware said it had not yet seen major observable attacks.
Microsoft issues mitigation on Patch Tuesday
Dark Reading reports that Microsoft released a mitigation for CVE-2026-49975 a week after disclosure on Patch Tuesday, while Cloudflare Pingora remained unpatched at the time of reporting.
Envoy releases patch the day after disclosure
Dark Reading states that Envoy patched HTTP/2 Bomb on the day after the vulnerability was disclosed publicly.
HTTP/2 Bomb vulnerability is publicly disclosed
The newly disclosed HTTP/2 Bomb vulnerability, CVE-2026-49975, was reported as affecting widely deployed infrastructure including nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora, with more than 880,000 potentially exposed websites identified in an initial Shodan scan.
nginx and Apache fix CVE-2026-49975 before public disclosure
According to Dark Reading, nginx and Apache issued fixes for HTTP/2 Bomb prior to the vulnerability's public disclosure. Cyber Security News specifies that Apache addressed the issue in version 2.4.68.
Researcher discovers HTTP/2 Bomb vulnerability
Dark Reading reports that Calif researcher Quang Luong discovered a denial-of-service flaw dubbed HTTP/2 Bomb, tracked as CVE-2026-49975, affecting major HTTP/2 server implementations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
HTTP/2 Bomb DoS Flaw Crashes Major Web Servers via Memory Exhaustion
Researchers publicly disclosed **HTTP/2 Bomb**, a remote denial-of-service technique that abuses standard HTTP/2 behavior to rapidly exhaust memory on major web servers and proxies, including **nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora**. The attack combines **HPACK header-compression amplification** with a **Slowloris-style flow-control stall**, letting a low-bandwidth client trigger disproportionate server-side allocations and keep that memory pinned by advertising a zero-byte window. Reports said a single machine on a 100 Mbps connection could make vulnerable services inaccessible within seconds, with testing showing **Apache httpd** and **Envoy** consuming roughly **32 GB of RAM** in about **10 to 20 seconds** under default HTTP/2 configurations. Public disclosures and proof-of-concept code indicated the amplification largely comes from per-header bookkeeping rather than oversized decoded header values, allowing common decoded-size limits to be bypassed. **Apache** tracked its exposure as **`CVE-2026-49975`** and released a fix in **`mod_http2 2.0.41`**, while **nginx** addressed the issue in **`1.29.8`**; advisories initially said **IIS, Envoy, and Pingora** lacked patches, though later disclosures showed **Envoy** assigned **`CVE-2026-47774`** and published an advisory. Researchers estimated more than **880,000** internet-exposed HTTP/2 systems could be affected and recommended upgrading where fixes exist, or otherwise disabling HTTP/2, enforcing strict header-count limits, and monitoring for abnormal memory growth.
Jun 9, 2026
Apache HTTP Server mod_http2 Double-Free Exposes Pre-Auth RCE and DoS Risk
Apache HTTP Server disclosed **CVE-2026-23918**, a high-severity double-free flaw in `mod_http2` affecting version `2.4.66`, with researchers showing it can be triggered remotely over a single TCP connection by sending crafted HTTP/2 frames on the same stream. The bug stems from the same `h2_stream` object being queued twice for cleanup, causing a second `apr_pool_destroy` on freed memory; on multi-threaded MPM deployments such as **event** and **worker**, this can reliably crash worker processes without authentication, while **prefork** is not affected. Public reporting said denial-of-service is the most practical near-term outcome, but under specific conditions the memory corruption can be developed into pre-authenticated remote code execution. Apache fixed the issue in **version 2.4.67** by preventing duplicate cleanup entries and urged administrators to upgrade immediately. Guidance published alongside the disclosure recommended temporarily disabling **HTTP/2** where patching is delayed, using rate limiting or a WAF to reduce opportunistic abuse, and reviewing exposure from related modules after the same release also patched flaws in `mod_rewrite`, `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. At the time of publication, sources said there was **no confirmed in-the-wild exploitation**, but warned that Apache HTTP Server's broad deployment and common `mod_http2` enablement make internet-facing systems attractive targets.
Jun 10, 2026
Apache HTTP Server fixes HTTP/2 double-free flaw with possible RCE
The Apache Software Foundation released **Apache HTTP Server 2.4.67** to fix five vulnerabilities, led by **`CVE-2026-23918`**, an important- to high-severity flaw in the HTTP/2 implementation. Apache said the bug is a **double free** triggered by an early reset that could lead to **remote code execution**, and that it affects **version 2.4.66**. The issue was reported in December 2025 and fixed shortly afterward, with public disclosure following on the `oss-sec` mailing list; Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl were credited with finding it. The 2.4.67 release also patches **`CVE-2026-24072`** in `mod_rewrite`, which can allow local `.htaccess` authors to read arbitrary files as the `httpd` user, along with lower-severity issues in `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. Apache and downstream reporting urged organizations running **2.4.66 or earlier** to upgrade immediately, while temporary mitigations for environments that cannot patch at once include disabling **HTTP/2**, removing `mod_dav_lock`, and reviewing `.htaccess` permissions.
May 8, 2026