惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
L
LangChain Blog
Microsoft Azure Blog
Microsoft Azure Blog
雷峰网
雷峰网
Recent Announcements
Recent Announcements
WordPress大学
WordPress大学
The GitHub Blog
The GitHub Blog
博客园_首页
The Cloudflare Blog
M
MIT News - Artificial intelligence
博客园 - 【当耐特】
MyScale Blog
MyScale Blog
S
SegmentFault 最新的问题
P
Proofpoint News Feed
Y
Y Combinator Blog
Jina AI
Jina AI
博客园 - 聂微东
A
About on SuperTechFans
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
G
Google Developers Blog
云风的 BLOG
云风的 BLOG
F
Full Disclosure
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Microsoft Security Blog
Microsoft Security Blog
爱范儿
爱范儿
T
Tailwind CSS Blog
J
Java Code Geeks
Vercel News
Vercel News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Stack Overflow Blog
Stack Overflow Blog
罗磊的独立博客
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
T
The Blog of Author Tim Ferriss
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - 三生石上(FineUI控件)
W
WeLiveSecurity
PCI Perspectives
PCI Perspectives
Attack and Defense Labs
Attack and Defense Labs
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
宝玉的分享
宝玉的分享
IT之家
IT之家
Hacker News: Ask HN
Hacker News: Ask HN
The Register - Security
The Register - Security
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs

Blog

Code Injection in Perforce Helix Core (CVE-2026-6902) | Imperva AI Bot Traffic: Which Bots to Allow or Block | Imperva API Security Tools: What Each One Protects | Imperva CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised | Imperva On-Premises API Security on Kubernetes | Imperva AI Security Assistant for Faster Investigations | Imperva Best WAAP Solutions 2026: Enterprise Buyer Guide | Imperva Compromise OpenClaw with Prompt Injections in Message Objects The Clock Is Already Ticking: Why Post-Quantum Cryptography Can’t Wait Imperva Customers Protected Against CVE-2026-45247 in Mirasvit Full Page Cache Warmer for Magento Real-Time Webhook Notifications: No More Lost Security Alerts Imperva Customers Protected Against CVE-2026-9082 in Drupal Core Dify: When Your AI Platform Becomes the Attack Surface CVE-2026-42945: Imperva Customers Protected Against Critical NGINX Rewrite Module Vulnerability Using Bedrock with Claude Code? Your AWS Credentials Are Shared With Every Subprocess Why AI Agents Make API Security a CISO Priority CVE-2026-23870: Imperva Customers Protected Against Critical React Server Components DoS Vulnerability | Imperva Your Redis Server Looks Fine. That’s the Problem. | Imperva API Security Operations: From Visibility to Risk Reduction | Imperva Imperva Customers Protected Against CVE-2026-41940 in cPanel & WHM Bad Bot Report 2026: The Internet Is No Longer Human and It’s Changing How Business Works Why PoP Count Isn’t the Real Measure of Application Security Performance Hacking Safari with GPT 5.4 Enterprise-Grade Application Security, Cloud-Native Speed: Introducing Imperva for Google Cloud Anthropic Mythos: Separating Signal from Hype Cloud Based WAF Upload Scan and Control: The New Standard for File Upload Security
Imperva Customers Protected Against CVE-2026-49975 (HTTP/2 Bomb) DoS
Bar Menachem, Muly Levy · 2026-06-04 · via Blog

Imperva Customers Protected Against CVE-2026-49975 (HTTP/2 Bomb) DoS

TL;DR: CVE-2026-49975, dubbed the “HTTP/2 Bomb,” is a critical remote Denial-of-Service (DoS) vulnerability affecting default HTTP/2 configurations of major web servers including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. Discovered by security firm Calif using OpenAI’s Codex, the attack combines a unique HPACK compression bomb variant with a Slowloris-style flow-control window hold to cause immediate server outages and memory exhaustion. NGINX and Apache have rolled out fixes, while others remain exposed. Imperva customers are fully protected against exploitation attempts associated with this vulnerability.

About CVE-2026-49975

On June 3, 2026, California-based cybersecurity firm Calif disclosed a novel, highly disruptive remote denial-of-service attack chain tracked as CVE-2026-49975. The exploit targets structural similarities across default HTTP/2 protocol implementations, potentially threatening over 880,000 websites operating on default stack configurations.

Remarkably, the vulnerability chain was identified using OpenAI’s Codex. The AI model parsed multiple public codebases, recognizing that two distinct techniques, (each public or partially resolved for nearly a decade), could be seamlessly chained together to cripple enterprise web servers.

The exploit functions by combining two distinct phases:

  1. The Bookkeeping Compression Bomb (HPACK): Unlike traditional compression bombs that expand huge, stuffed data strings to trigger decoded-size limits, this variant relies on an optimized, nearly empty header payload. Instead of triggering maximum header restrictions, it forces the server to spend immense memory allocations purely on the internal per-entry bookkeeping and structural tables of the HTTP/2 HPACK scheme.
  2. The Flow-Control Slowloris Hold: Once the massive internal memory overhead is forced, the attack client advertises a zero-byte flow-control window. This effectively forces the server to hang, preventing it from sending a response while concurrently resetting the send timeouts. The connection stays active, trapping the allocated server memory indefinitely.

Because the attack vectors utilize standard, valid HTTP/2 frame properties, an unauthenticated attacker using a basic home computer over a 100 Mbps connection can exhaust up to 32GB of server memory within 20 seconds, knocking targeted infrastructure offline almost instantly.

CVE 2026 49975 blog

What We’ve Seen

Following the public disclosure, Imperva Threat Research has been actively tracking reconnaissance and proof-of-concept (PoC) validation activity corresponding to the newly released guidelines.

Because the exploit relies on native HTTP/2 frame manipulations, specifically targeting HPACK table modifications combined with restrictive WINDOW_UPDATE flow mechanics, initial traffic patterns show distinct automated probing behavior rather than standard application-layer payloads. Attackers are running specialized tools designed to map out whether target servers handle aggressive, dense bursts of small header blocks under restricted windows without terminating the connection. Given that HTTP/2 is almost universally adopted across modern web infrastructure, any unpatched asset running default configurations of the affected servers remains a viable target for these generic probes.

Mitigation and Protection

Organizations are advised to audit their web server footprints and apply vendor updates immediately:

  • NGINX: Upstream fixes were quietly addressed in version 1.29.8+ and supported branches in April.
  • Apache HTTPD: Fixes addressing the specific chaining behaviors have been integrated into late-May releases.
  • Microsoft IIS, Envoy, and Cloudflare Pingora: Default configurations remain exposed at the time of writing; organizations using these platforms should closely monitor infrastructure memory thresholds or consider temporarily disabling HTTP/2 on unpatched public endpoints if downstream mitigations are not in place.

Imperva Protection

Imperva customers with Cloud WAF deployments are protected against exploitation attempts associated with CVE-2026-49975. Cloud WAF automatically inspects and manages anomalous stream and frame structures at the edge, mitigating malicious HPACK anomalies before they reach backend services.

For organizations utilizing Imperva WAF-GW protecting environments where HTTP/2 is enabled, administrators should take immediate action to verify that HTTP/2 Header Restrictions are actively applied and enforced within their security policies. Ensuring these granular protocol constraints are enabled provides a critical layer of defense, blocking the dense, high-frequency header bookkeeping manipulation characteristic of the HTTP/2 Bomb exploit before it can consume backend server resources. For detailed configuration steps, please refer to the following KB article.

Bottom Line

CVE-2026-49975 represents a significant shift in threat discovery, showing how agentic AI capabilities can systematically bridge known, siloed software behaviors into destructive new exploit chains. Because the “HTTP/2 Bomb” requires minimal bandwidth to trigger complete memory exhaustion across major web servers in their default states, patching and perimeter mitigation are urgent priorities.

Imperva customers remain protected. Imperva Cloud WAF and WAF Gateway inspect and drop malicious stream and frame structures, ensuring that anomalous HPACK table definitions and malicious flow-control holds are neutralized at the edge before they can induce memory stress on backend enterprise systems.

Try Imperva for Free

Protect your business for 30 days on Imperva.

Start Now