HTTP/2 Protocol Denial of Service Vulnerability

Release Date: 4 Jun 2026

RISK: High Risk

TYPE: Web services - Web Servers

A vulnerability was identified in HTTP/2 Protocol. A remote attacker could exploit this vulnerability to trigger denial of service condition on the targeted system.

 

Note:

Proof of Concept exploit code is publicly available for CVE-2026-49975. The vulnerability allows remote attacker to cause denial of service against most major web servers. The vulnerable behavior exists in each server's default HTTP/2 configuration. Hence, the risk level is rated as High Risk.

---

Impact

• Denial of Service

---

System / Technologies affected

• Web servers with HTTP/2 protocol enabled are potentially affected.

---

Solutions

Before installation of the software, please visit the software vendor web-site for more details.

Apply fixes issued by the related vendors.

---

Vulnerability Identifier

• CVE-2026-49975

---

Source

• Calif

---

Related Link

• https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
• https://github.com/califio/publications/tree/main/MADBugs/http2-bomb