Request for Action Regarding Web Server Vulnerability (HTTP/2)
This is a request for confirmation and action for those who operate web servers.
"HTTP/2 Bomb (CVE-2026-49975)", a remote denial-of-service (DoS) exploit against most major web servers, has been published.
The affected web servers are as follows:
- nginx
- Apache httpd
- Microsoft IIS
- Envoy
- Cloudflare Pingora
We ask that server administrators promptly check their HTTP/2 configuration status and take appropriate measures.
Reference Information
- Codex Discovered a Hidden HTTP/2 Bomb - Calif
- GitHub - mrx-arafat/CVE-2026-49975-POC: HTTP/2 Bomb PoC — CVE-2026-49975 (HPACK indexed reference bomb + flow-control stall) · GitHub
Last-Modified: June 5, 2026
The content ends at this position.