

























A proof-of-concept (PoC) exploit has been publicly released for a critical Denial of Service vulnerability in Apache HTTP Server, tracked as CVE-2026-49975, dubbed the “HTTP/2 Bomb.”
The flaw allows remote attackers to exhaust server memory and disrupt services without authentication, posing a significant risk to organizations running unpatched Apache deployments.
The vulnerability lies in the HTTP/2 request-handling path of Apache HTTP Server. When multiple cookie header fields are processed, they are merged without being properly counted against the LimitRequestFields directive effectively bypassing a key resource protection mechanism.
An attacker can craft a small, HPACK-encoded HTTP/2 request that decompresses into a large number of cookie header fields. During Cookie header merging, the server is forced to repeatedly allocate memory for each field expansion.
The attacker then weaponizes HTTP/2 flow control by setting the initial window size to zero, deliberately stalling response transmission and keeping affected streams open indefinitely. This prevents the server from releasing the allocated memory, creating a sustained memory exhaustion condition.
All Apache HTTP Server versions from 2.4.17 through 2.4.67 are vulnerable. The flaw has been patched in Apache HTTP Server 2.4.68 and later.
The publicly released PoC, available on GitHub at EQSTLab/CVE-2026-49975, demonstrates the attack using a Python-based exploit script. The attack is reproducible in a Dockerized environment, where the server is containerized with an 8 GB memory limit.
Attackers invoke the script with parameters controlling:
0 to halt data transmission for up to 300 secondsDuring testing, observable memory usage in the Apache container climbs steeply and remains elevated throughout the hold period, confirming successful memory exhaustion.
A successful exploit results in remote Denial of Service, excessive memory consumption, and delayed or failed processing of legitimate user requests, effectively taking the server offline without any privileged access.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。