CVE-2026-49975: The HTTP/2 Bomb That Knocks nginx and Apache Offline With a Single Connection
On June 3, 2026, researcher Quang Luong published a remote denial-of-service exploit called the HTTP/2 Bomb that can exhaust tens of gigabytes of server memory using nothing more than a home internet connection. The vulnerability was posted to oss-security the same day and affects nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora in their default HTTP/2 configurations. The CVE identifier CVE-2026-49975 was assigned to the Apache httpd variant. What the attack does The exploit chains two techniques, both of which have been individually documented for roughly a decade, in a way that no prior public research had combined against these servers. ...