What is CVE-2026-49975?
CVE-2026-49975 is a memory exhaustion vulnerability in the mod_http2 module of Apache HTTP Server that allows a remote attacker to cause a denial of service through maliciously crafted HTTP/2 requests. It is classified as CWE-789, Memory Allocation with Excessive Size Value, and was publicly disclosed as part of an attack technique nicknamed the “HTTP/2 Bomb.”
The vulnerability carries a CVSS v3.1 base score of 7.5 (High). The Apache Software Foundation rated the issue Moderate in its own advisory, while the National Vulnerability Database scores it High. The scoring vector reflects an availability-only impact: no loss of confidentiality or integrity, but full loss of service.
Exploitation is unauthenticated and requires only network access to a server with HTTP/2 enabled. The technique chains two legitimate HTTP/2 behaviors. An HPACK compression bomb forces the server to expand small compressed header inputs into much larger internal objects, and an HTTP/2 flow-control hold, similar in spirit to a Slowloris attack, keeps those allocations alive instead of letting the server reclaim them. The combined effect is rapid memory growth that can render a server unresponsive within seconds.
Public reporting indicates the attack can be launched from a single modest connection rather than a large botnet, which lowers the barrier to abuse. The vulnerability was reported by Quang Luong of Calif.IO, working with an AI-assisted code analysis process.
What assets are affected by CVE-2026-49975?
The flaw affects Apache HTTP Server versions 2.4.17 through 2.4.67. An affected asset is typically an internet-facing web server or reverse proxy with HTTP/2 enabled, which in most modern deployments means TLS-terminated HTTP/2 served on TCP/443. HTTP/2 is on by default in many current configurations, so a server can be exposed without an administrator having explicitly opted in.
The “HTTP/2 Bomb” disclosure described a broader class of issue affecting several major server stacks beyond Apache, including nginx, Microsoft IIS, Envoy, and Cloudflare Pingora. CVE-2026-49975 is the Apache-assigned identifier for the Apache-side instance of this class. nginx addressed the underlying behavior in a separate release, and Envoy published its own advisory under a different identifier. Because the same technique surfaces across multiple implementations, exposure in practice spans both Apache httpd and nginx fleets that front public web applications.
These assets are common at the edge of nearly every organization. Web servers and proxies are frequently provisioned across cloud regions, partner-facing endpoints, and content delivery layers, and many are long-lived. The combination of default HTTP/2 support and broad version coverage means a large share of an organization’s externally reachable web infrastructure can fall within the affected range.
What does our data show about exposure patterns?
Exposure in this set is led by Communication Services at 24.9% of observed assets, with Information Technology contributing 18.0% and Health Care close behind at 17.0%.
The concentration in Communication Services is consistent with how that sector operates. Media, telecom, and content businesses run large, distributed web footprints built to serve traffic at scale, and HTTP/2 is precisely the protocol they adopt early to improve delivery performance. That same performance-driven posture, spread across many edge nodes and partner integrations, widens the surface on which a default HTTP/2 configuration can be reached from the internet.
Across the remaining sectors, the pattern points to a single underlying driver: the affected component is general-purpose web infrastructure, not a niche product. Apache httpd and nginx sit in front of applications in every industry, often provisioned years ago and rarely revisited once stable. The breadth of the “Others” bucket at 40.1% reflects that reality. Exposure here is less about any one vertical and more about how widely standard web servers are deployed and how easily an enabled-by-default protocol feature escapes inventory.
Are fixes available?
Yes. The Apache Software Foundation released Apache HTTP Server 2.4.68 on June 8, 2026, which fixes CVE-2026-49975 along with a batch of other vulnerabilities addressed in the same release. Upgrading to 2.4.68 or later is the direct remediation for affected Apache deployments.
Distribution-level patching is uneven and worth verifying per platform. Red Hat issued an advisory with updated httpd packages for Red Hat Enterprise Linux, and Debian published a security update through its LTS channel. For nginx, the related behavior was addressed in a later release that introduced a header-count limit, though that fix was reported to cause a regression with external modules and was reverted in at least one downstream package pending further investigation. nginx did not assign a separate CVE for the issue.
Given the inconsistent state of downstream fixes, defenders should confirm patch availability and stability directly with their vendor or distribution rather than assuming a fix is present. Where a stable patch is not yet available for a given platform, the vulnerability should be treated as live and mitigated at the network layer.
Are there any other recommended actions to take?
Until patching is confirmed across all platforms, defenders should:
- Inventory internet-facing Apache httpd and nginx servers with HTTP/2 enabled
- Identify which endpoints advertise
h2onTCP/443 - Cap concurrent HTTP/2 streams per connection at the proxy or WAF
- Constrain request header count and size limits where the server supports it
- Monitor for connections holding streams open alongside abnormal memory growth
- Disable HTTP/2 on exposed servers that cannot be patched promptly
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-49975 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
