HTTP/2 Bomb Vulnerability: Apache, Envoy, Nginx Face DoS Risk
Penligent has published details on CVE-2026-49975, an HTTP/2 Bomb vulnerability affecting Apache httpd (and related issues in Envoy, nginx, IIS, Cloudflare Pingora) due to cookie header accounting flaws. This vulnerability allows small compressed header patterns to expand into costly internal objects, creating remote memory pressure and potential denial-of-service attacks. The article advises streaming industry professionals to inventory HTTP/2 termination points, apply patches, and implement mitigations to prevent these attacks.
Key Takeaways
- CVE-2026-49975 specifically addresses an Apache httpd cookie header accounting flaw, fixed in `mod_http2` version 2.0.41.
- The broader 'HTTP/2 Bomb' class impacts servers including Envoy (CVE-2026-47774), nginx (v1.29.8+ with `max_headers`), IIS, and Cloudflare Pingora.
- The attack uses HPACK decompression and HTTP/2 flow control to expand small requests into large server-side memory allocations, which are then held by stalled streams.
- Existing header limits often fail to prevent this due to differing interpretations of encoded size, decoded size, object count, and header field accounting, especially for split `Cookie` fields.
- Mitigation requires patching, disabling HTTP/2 where not critical, implementing strict header-count limits, and applying container memory limits to contain impact.
Why It Matters
This vulnerability class underscores critical, often overlooked, exposure points in streaming infrastructure, potentially disrupting content delivery and platform stability. It highlights how underlying protocol inefficiencies can be weaponized into availability bugs across major web servers and CDNs. Streaming providers must conduct thorough audits of all HTTP/2 termination points—from edge CDNs to internal service mesh components—and implement multi-layered defenses. The focus is now on comprehensive configuration and version management, particularly for ingress and gateway services, to prevent memory exhaustion and ensure continuous service for demanding live and on-demand video workloads.
Read full article at penligent.ai