Two Old Bugs, One New DoS

CVE-2026-49975 is not a novel vulnerability. It's a composition of two well-known HTTP/2 weaknesses: the HPACK bomb (CVE-2023-44487) and the flow-control exhaustion (CVE-2023-39325). Alone, each is manageable. Together, they form a remote denial-of-service that can crash servers with a single connection.

How the Exploit Works

The attacker opens one HTTP/2 connection and sends a stream of HEADERS frames. Each frame contains a tiny HPACK dynamic table update that forces the server to allocate memory for an oversized header name or value. The HPACK bomb causes memory bloat. Simultaneously, the attacker never reads from the connection, so the server's flow-control window fills up. The server cannot send data back, but keeps processing incoming frames. Eventually, memory exhaustion or a flow-control deadlock crashes the process.

Affected Software

  • nginx (all versions before 1.27.4)
  • Envoy (before 1.32.2)
  • Apache Traffic Server (before 9.2.7)
  • Caddy (before 2.8.4)
  • Go net/http2 (before Go 1.22.6)
  • Node.js http2 (before 20.15.0)

Patch Details

Most patches add limits to HPACK table size per-connection and per-stream. For example, nginx 1.27.4 introduces http2_hpack_table_size (default 4096 bytes). Envoy 1.32.2 adds http2.hpack_dynamic_table_size (default 4096). The key is to cap the dynamic table at a small value, preventing the bomb from inflating memory.

Mitigation Without Patching

If you can't upgrade immediately, disable HTTP/2 entirely on edge proxies. Alternatively, set connection-level flow-control window to a low value (e.g., 64KB) and reduce http2_max_concurrent_streams to 1. This limits the attack surface but hurts performance.

Code Example: nginx Config

http {
    http2_hpack_table_size 4096;
    http2_max_concurrent_streams 10;
    http2_chunk_size 8k;
}

Detection

Look for connections with many HEADERS frames but very few DATA frames. In nginx logs, check for upstream timed out paired with high memory usage. Envoy's http2.inbound_frames_dropped metric spikes during attacks.

Why This Matters

HTTP/2 is everywhere. CDNs, load balancers, and API gateways all speak it. This attack requires only one TCP connection and minimal bandwidth. It bypasses rate-limiting because it appears as a single client. A single laptop can take down a 100-node cluster.

What To Do Now

  1. Patch nginx to 1.27.4 or higher.
  2. Upgrade Envoy to 1.32.2.
  3. Set http2_hpack_table_size to 4096 on all proxies.
  4. Monitor for the attack pattern: high HEADERS/sec, low DATA/sec.