logo

CVE-2026-49975: HTTP/2 Bomb Attack Can Knock Web Servers Offline in Seconds

ID: fb89f4dd-2a5c-542e-a304-36d6f395646d

STIX ID: report--fb89f4dd-2a5c-542e-a304-36d6f395646d

Feed Name: SOC Prime Blog

Threat Score
70/100

Date Published: 2026-06-05

Date Updated: 2026-06-06

Author: SOC Prime Team

...
...

**Executive summary:** CVE-2026-49975 (the "HTTP/2 Bomb") is a denial-of-service chain that combines an HPACK compression bomb with HTTP/2 flow-control/continuation-frame abuse to cause rapid memory exhaustion and take major web servers offline; vendors including NGINX and Apache have released fixes while others (Microsoft IIS, Envoy, Cloudflare Pingora) were unpatched at the time of reporting, and defenders should prioritize patching exposed HTTP/2 services and monitoring for abnormal memory spikes and abrupt service degradation.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.