Description
A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible.
Published: n/a
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the HTTP/2 implementation allows a remote attacker to trigger a denial of service by sending a specially crafted HPACK compression payload coupled with a zero‑byte flow‐control window. The small input data causes a large memory allocation on the server, which is then retained, exhausting resources and making the server unavailable to legitimate users. This defect is a classic denial‑of‑service weakness categorized as CWE‑409.

Affected Systems

The vulnerability affects any web server that implements the HTTP/2 protocol. No specific vendor or product details are listed in the available information, but all HTTP/2‑supporting servers could be impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating high severity, and is not listed in the CISA KEV catalog, suggesting it is not widely known as a publicly exploited vulnerability yet. The attacker can initiate the exploit remotely over the network by exploiting the server’s HTTP/2 implementation; the likely attack vector is via an HTTP/2 connection from a public endpoint, requiring only internet reachability and no privileged access.

Generated by OpenCVE AI on June 6, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or update for the web server as soon as it becomes available.
  • If a patch is not yet available, disable HTTP/2 support entirely or configure the server to reject HPACK headers that would trigger excessive memory allocations, such as by limiting the compression window size or rejecting oversized headers.
  • Continuously monitor server memory consumption and network traffic for anomalous patterns, and block or rate‑limit IP addresses that exhibit slow‑loris style behaviors or send unusually large HPACK payloads.

Generated by OpenCVE AI on June 6, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6323-1 apache2 security update
History

Sat, 06 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible.
Title httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack
Weaknesses CWE-409
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Subscriptions

No data.

cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-03T00:00:00Z

Links: CVE-2026-49975 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T02:00:10Z

Weaknesses