CVE-2026-49975

Name of the Vulnerable Software and Affected Versions Apache mod http2 versions prior to 2.0.41 Apache HTTP Server version 2.4.67

Description Apache HTTP Server incorrectly handles certain cookie headers in its HTTP/2 implementation, leading to a denial of service. This issue, known as the HTTP/2 Bomb, chains two techniques: HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow-control stalling. HPACK compression amplification occurs when a header is inserted into the HPACK dynamic table and referenced repeatedly, causing the server to allocate increasing amounts of memory. Flow-control stalling prevents the server from freeing this memory by advertising a zero-byte flow-control window and sending small WINDOW UPDATE frames to avoid timeouts. This allows a single client with a home internet connection to exhaust server memory—for example, 32 GB of RAM in approximately 18 seconds—rendering the server inaccessible. Over 880,000 sites are potentially exposed.

Recommendations Update Apache mod http2 to version 2.0.41. Disable HTTP/2 entirely if updating is not feasible. Restrict access to the vulnerable HTTP/2 endpoint by using a reverse proxy or content delivery network (CDN) that enforces hard header-count limits.