HTTP/2 memory exhaustion in Envoy via cookie header size bypass and HPACK amplification

Repository contains a Python proof-of-concept exploit for an HTTP/2 denial-of-service issue described as CVE-2026-49975, plus a companion defense-probing script and a local HTTP/2 test server. The main exploit file is http2_bomb.py, which manually builds HTTP/2 traffic using hyperframe and hpack rather than a higher-level HTTP client. It opens a TCP/TLS connection to a user-supplied host and port, negotiates ALPN 'h2' when TLS is enabled, sends the HTTP/2 connection preface and SETTINGS, and then performs the attack by abusing HPACK compression and HTTP/2 flow control. The exploit’s core capability is to insert small headers into the HPACK dynamic table and then send many indexed references across multiple streams, creating asymmetric server-side memory/bookkeeping cost. It also sets INITIAL_WINDOW_SIZE to 0 to inhibit response delivery and can periodically send WINDOW_UPDATE frames to keep the connection alive, effectively pinning allocations. Optional cookie fragmentation is included to try to bypass header-count limits. probe_defense.py is not the exploit itself; it is a detection/probing utility that connects to a target HTTP/2 service and evaluates whether mitigations appear present based on protocol behavior. test_server.py is a local vulnerable-style HTTP/2 server used for validation and demonstration; it listens with TLS, accepts HTTP/2 connections, decodes headers, and logs large header counts to simulate the vulnerable processing path. Repository structure is small and focused: 3 Python code files, 1 README, 1 requirements file, and .gitignore. Dependencies are h2/hpack/hyperframe. This is a real exploit repository, not just documentation, and its practical outcome is application-layer remote DoS rather than code execution. No hardcoded victim infrastructure is embedded; the operator supplies the target host and port at runtime.