Security researchers disclosed CVE-2026-49975 on June 3, 2026 — a remote denial-of-service exploit called the HTTP/2 Bomb that can exhaust 32 gigabytes of server memory in approximately 10 seconds on a vulnerable Envoy deployment, requiring only a single residential internet connection to execute. The vulnerability affects nginx, Apache httpd, Microsoft IIS, Envoy proxy, and Cloudflare Pingora, with over 880,000 public-facing servers confirmed exposed via Shodan scan.
How CVE-2026-49975 Exploits HTTP/2 HPACK Compression Against nginx, Apache, and Envoy
The attack combines two techniques: HPACK compression table amplification and Slowloris-style connection holding. An attacker first seeds the server’s HTTP/2 header compression table with a single large header entry. Subsequent requests then send thousands of single-byte references back to that table entry — forcing the server to allocate massive memory to reconstruct the referenced headers on each request while keeping the connections alive long enough to exhaust available memory.
Amplification Ratios Across Affected Platforms
The bandwidth amplification ratios measured by researchers are severe: Envoy reaches 5,700:1 amplification (exhausting 32 GB in roughly 10 seconds), Apache httpd reaches 4,000:1, and nginx reaches 70:1. Even nginx’s comparatively modest ratio means a single connection generating a few megabits of traffic forces the server to process hundreds of megabits of effective data — sufficient to degrade service under sustained attack.
Cloudflare Pingora’s inclusion is particularly notable. Pingora is Cloudflare’s internally developed HTTP proxy engine, used to front and protect other websites against web attacks. A vulnerability in that layer affects not just Cloudflare’s infrastructure but the protective posture it provides to downstream customers.
Responsible Disclosure to Vendors and Patch Status
Researchers notified all affected vendors beginning on May 27, 2026. The coordinated public disclosure on June 3 follows that vendor notification window. The CVE was assigned to the Apache httpd variant; other affected platforms — nginx, IIS, Envoy, and Pingora — are separately tracking the issue, and patch availability varies by vendor.
880,000 Servers Exposed; Public PoC Lowers the Attack Bar
A Shodan scan conducted by researchers identified more than 880,000 public-facing websites running affected server software with HTTP/2 enabled at time of disclosure. Many of those servers benefit from CDN fronting, which partially mitigates direct exploitation — requests must pass through the CDN layer before reaching origin infrastructure. However, CDN fronting does not protect services where the CDN itself is the vulnerable component, as in the Pingora case.
No evidence of active in-the-wild exploitation was found at time of disclosure. The accompanying public proof-of-concept code released with the research significantly lowers the technical barrier for adversaries seeking to weaponize the technique — moving the threat from theoretical to operational without requiring independent vulnerability research.
Scope of the HTTP/2 Bomb Across Web Infrastructure
The HTTP/2 protocol is near-universally enabled on modern web servers as a performance optimization. HPACK header compression — the mechanism the attack exploits — is a core protocol feature, not an optional extension. This means the attack surface is inherent to compliant HTTP/2 implementations, and the fix requires implementation-level changes rather than configuration toggles.
Web operators should verify whether HTTP/2 is enabled on exposed server instances and monitor vendor advisories from nginx, Apache, Microsoft, Envoy, and Cloudflare for patch availability. Organizations where Envoy or Apache serves as the edge or API gateway component face the highest immediate risk given the amplification ratios measured in research testing.
