CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

PoC Exploit Released for HTTP/2 Bomb Remote DoS Vulnerability in Apache HTTP Server

Cybersecurity News Archived Jun 18, 2026 ✓ Full text saved

A proof-of-concept (PoC) exploit has been publicly released for a critical Denial of Service vulnerability in Apache HTTP Server, tracked as CVE-2026-49975, dubbed the “HTTP/2 Bomb.” The flaw allows remote attackers to exhaust server memory and disrupt services without authentication, posing a significant risk to organizations running unpatched Apache deployments. The vulnerability lies in the […] The post PoC Exploit Released for HTTP/2 Bomb Remote DoS Vulnerability in Apache HTTP Server appear

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security PoC Exploit Released for HTTP/2 Bomb Remote DoS Vulnerability in Apache HTTP Server By Guru Baran June 18, 2026 A proof-of-concept (PoC) exploit has been publicly released for a critical Denial of Service vulnerability in Apache HTTP Server, tracked as CVE-2026-49975, dubbed the “HTTP/2 Bomb.” The flaw allows remote attackers to exhaust server memory and disrupt services without authentication, posing a significant risk to organizations running unpatched Apache deployments. The vulnerability lies in the HTTP/2 request-handling path of Apache HTTP Server. When multiple cookie header fields are processed, they are merged without being properly counted against the LimitRequestFields directive effectively bypassing a key resource protection mechanism. An attacker can craft a small, HPACK-encoded HTTP/2 request that decompresses into a large number of cookie header fields. During Cookie header merging, the server is forced to repeatedly allocate memory for each field expansion. The attacker then weaponizes HTTP/2 flow control by setting the initial window size to zero, deliberately stalling response transmission and keeping affected streams open indefinitely. This prevents the server from releasing the allocated memory, creating a sustained memory exhaustion condition. PoC Exploit HTTP/2 Bomb All Apache HTTP Server versions from 2.4.17 through 2.4.67 are vulnerable. The flaw has been patched in Apache HTTP Server 2.4.68 and later. The publicly released PoC, available on GitHub at EQSTLab/CVE-2026-49975, demonstrates the attack using a Python-based exploit script. The attack is reproducible in a Dockerized environment, where the server is containerized with an 8 GB memory limit. Attackers invoke the script with parameters controlling: Connections and streams — number of concurrent HTTP/2 connections and streams (e.g., 10 connections × 100 streams) HPACK references — up to 4,091 header table references to maximize cookie field expansion Flow control hold — initial window set to 0 to halt data transmission for up to 300 seconds Drip-feeding — releasing just 1 byte every 2 seconds to keep streams artificially alive During testing, observable memory usage in the Apache container climbs steeply and remains elevated throughout the hold period, confirming successful memory exhaustion. A successful exploit results in remote Denial of Service, excessive memory consumption, and delayed or failed processing of legitimate user requests, effectively taking the server offline without any privileged access. Mitigations Upgrade immediately to Apache HTTP Server 2.4.68 or later. Disable HTTP/2 temporarily on servers where it is not operationally required until patching is feasible. Monitor for anomalous memory growth patterns in web server containers or processes as an early detection signal. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News SecSuite – AI-powered Tool for OSINT, Web and API Security Testing Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase Windows 11 Update KB5094126 Freezes Systems, Forces BitLocker Recovery, and More Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild SHEETCREEP C# RAT Abuses Google Sheets API as C2 to Target Diplomatic Organizations Latest News Cyber Security News Rust Clipboard Hijacker Uses Fake GitHub Stars and VirusTotal Upvotes to Steal Crypto Cyber Security News Microsoft Office Applications Might Fail to Open Following Windows 11 June Update Cyber Security News Hackers Actively Exploiting WordPress SMTP Plugin With 100,000+ Installs to Access Sensitive Data Cyber Security News Splunk AI Toolkit Vulnerability Enables Arbitrary OS Command Execution Attacks Cyber Security Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗