A critical vulnerability, identified as CVE-2026-49975 and dubbed the “HTTP/2 Bomb,” has been discovered in Apache HTTP Server versions 2.4.17 through 2.4.67. This flaw allows remote attackers to exhaust server memory, leading to denial-of-service (DoS) conditions without requiring authentication.
The vulnerability resides in the server’s handling of HTTP/2 requests, specifically when processing multiple cookie header fields. These fields are merged without proper accounting against the `LimitRequestFields` directive, effectively bypassing a key resource protection mechanism. An attacker can craft a small, HPACK-encoded HTTP/2 request that decompresses into a large number of cookie header fields. During the merging process, the server is forced to repeatedly allocate memory for each field expansion.
Exploiting HTTP/2 flow control, the attacker sets the initial window size to zero, deliberately stalling response transmission and keeping affected streams open indefinitely. This prevents the server from releasing the allocated memory, creating a sustained memory exhaustion condition.
A proof-of-concept (PoC) exploit has been publicly released, demonstrating the attack using a Python-based script. The exploit is reproducible in a Dockerized environment, where the server is containerized with an 8 GB memory limit. During testing, observable memory usage in the Apache container climbs steeply and remains elevated throughout the hold period, confirming successful memory exhaustion.
To mitigate this vulnerability, it is recommended to upgrade immediately to Apache HTTP Server version 2.4.68 or later. If immediate upgrading is not feasible, temporarily disabling HTTP/2 on servers where it is not operationally required can serve as a stopgap measure. Additionally, monitoring for anomalous memory growth patterns in web server containers or processes can act as an early detection signal.
This incident underscores the importance of timely patching and vigilant monitoring in maintaining server security. As attackers continue to exploit protocol vulnerabilities, organizations must stay proactive in updating their systems and implementing robust monitoring practices to detect and mitigate potential threats promptly.
