


























TL;DR: CVE-2026-49975, dubbed the “HTTP/2 Bomb,” is a critical remote Denial-of-Service (DoS) vulnerability affecting default HTTP/2 configurations of major web servers including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. Discovered by security firm Calif using OpenAI’s Codex, the attack combines a unique HPACK compression bomb variant with a Slowloris-style flow-control window hold to cause immediate server outages and memory exhaustion. NGINX and Apache have rolled out fixes, while others remain exposed. Imperva customers are fully protected against exploitation attempts associated with this vulnerability.
On June 3, 2026, California-based cybersecurity firm Calif disclosed a novel, highly disruptive remote denial-of-service attack chain tracked as CVE-2026-49975. The exploit targets structural similarities across default HTTP/2 protocol implementations, potentially threatening over 880,000 websites operating on default stack configurations.
Remarkably, the vulnerability chain was identified using OpenAI’s Codex. The AI model parsed multiple public codebases, recognizing that two distinct techniques, (each public or partially resolved for nearly a decade), could be seamlessly chained together to cripple enterprise web servers.
The exploit functions by combining two distinct phases:
Because the attack vectors utilize standard, valid HTTP/2 frame properties, an unauthenticated attacker using a basic home computer over a 100 Mbps connection can exhaust up to 32GB of server memory within 20 seconds, knocking targeted infrastructure offline almost instantly.

Following the public disclosure, Imperva Threat Research has been actively tracking reconnaissance and proof-of-concept (PoC) validation activity corresponding to the newly released guidelines.
Because the exploit relies on native HTTP/2 frame manipulations, specifically targeting HPACK table modifications combined with restrictive WINDOW_UPDATE flow mechanics, initial traffic patterns show distinct automated probing behavior rather than standard application-layer payloads. Attackers are running specialized tools designed to map out whether target servers handle aggressive, dense bursts of small header blocks under restricted windows without terminating the connection. Given that HTTP/2 is almost universally adopted across modern web infrastructure, any unpatched asset running default configurations of the affected servers remains a viable target for these generic probes.
Organizations are advised to audit their web server footprints and apply vendor updates immediately:
Imperva customers with Cloud WAF deployments are protected against exploitation attempts associated with CVE-2026-49975. Cloud WAF automatically inspects and manages anomalous stream and frame structures at the edge, mitigating malicious HPACK anomalies before they reach backend services.
For organizations utilizing Imperva WAF-GW protecting environments where HTTP/2 is enabled, administrators should take immediate action to verify that HTTP/2 Header Restrictions are actively applied and enforced within their security policies. Ensuring these granular protocol constraints are enabled provides a critical layer of defense, blocking the dense, high-frequency header bookkeeping manipulation characteristic of the HTTP/2 Bomb exploit before it can consume backend server resources. For detailed configuration steps, please refer to the following KB article.
CVE-2026-49975 represents a significant shift in threat discovery, showing how agentic AI capabilities can systematically bridge known, siloed software behaviors into destructive new exploit chains. Because the “HTTP/2 Bomb” requires minimal bandwidth to trigger complete memory exhaustion across major web servers in their default states, patching and perimeter mitigation are urgent priorities.
Imperva customers remain protected. Imperva Cloud WAF and WAF Gateway inspect and drop malicious stream and frame structures, ensuring that anomalous HPACK table definitions and malicious flow-control holds are neutralized at the edge before they can induce memory stress on backend enterprise systems.
Protect your business for 30 days on Imperva.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。