https://blog.kalfaoglu.net/tags/dos/Recent content in DoS on kalfaoglu.netHugoenThu, 04 Jun 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-06-04-cve-2026-49975-http2-bomb-en/Thu, 04 Jun 2026 00:00:00 +0000https://blog.kalfaoglu.net/posts/2026-06-04-cve-2026-49975-http2-bomb-en/<p>On June 3, 2026, researcher Quang Luong published a remote denial-of-service exploit called the <a href="https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb">HTTP/2 Bomb</a> that can exhaust tens of gigabytes of server memory using nothing more than a home internet connection. The vulnerability was <a href="https://seclists.org/oss-sec/2026/q2/790">posted to oss-security</a> the same day and affects nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora in their default HTTP/2 configurations.</p> <p>The CVE identifier CVE-2026-49975 was assigned to the Apache httpd variant.</p> <h2 id="what-the-attack-does">What the attack does</h2> <p>The exploit chains two techniques, both of which have been individually documented for roughly a decade, in a way that no prior public research had combined against these servers.</p>