In a nutshell: An HTTP/2 vulnerability in header compression allows attackers to trigger excessive memory allocations with minimal traffic, crippling servers.
A vulnerability in HTTP/2 standard configuration enables denial-of-service attacks on widely used web servers such as nginx, Apache, and Microsoft IIS. The security flaw combines two established attack techniques and affects over 880,000 websites.
Security consultancy Calif has disclosed a flaw in the HTTP/2 implementation that affects Nginx (from v1.29.8+), Apache HTTP Server (mod_http2 from v2.0.41), Microsoft IIS, Envoy, and Cloudflare Pingora. Tracked under CVE-2026-49975, the vulnerability allows an attacker to occupy disproportionately large amounts of memory on the target server, degrading its performance or causing it to fail.
The core problem lies in HPACK, HTTP/2’s header compression mechanism. Attackers can exploit the dynamic header table to force repeated, large memory allocations on the server with very small amounts of data on the wire. Calif CEO Thai Duong describes the technique as a combination of two attack methods known for over a decade: a compression bomb principle (one byte on the wire becomes a full header allocation on the server, thousands of times per request) and a Slowloris-like hold tactic (zero-byte flow control window prevents memory release). According to Shodan data, at least 880,000 websites support HTTP/2 with one of the affected server implementations, though CDNs may partly hinder practical execution.
Nginx and Apache HTTP Server have already provided patches; Envoy followed on June 3 with versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1. Microsoft IIS and Cloudflare Pingora had no patches available at the time of disclosure. Affected administrators should deploy updates via standard update channels.
For organizations without an available patch, Calif recommends disabling HTTP/2 if possible or protecting the server with a component that enforces strict per-request header limits. This is the first HTTP/2 DoS vulnerability of this kind since 2019, when Netflix disclosed several similar vulnerabilities, and underscores the ongoing need for regular security audits of established protocol implementations.
Source: www.csoonline.com · Published June 4, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.