- Published on
HTTP/2 Bomb: Denial-of-Service Exploit Against Major Web Servers
- Authors
- Name
- Alex Lee
- Title
- CEO
- @alexjoelee
CVE-2026-49975: HTTP/2 Bomb
On June 2nd, a remote denial-of-service exploit was discovered by offensive security firm Calif. The attack is a combination of two older denial-of-service methods: HPACK compression amplification and Slowloris-style resource retention by abusing HTTP2 flow-control. The attack requires very little data to be sent from an attacker and consumes memory in seconds. BleepingComputer also published an analysis of the attack.
What'd We Do
On June 2nd, we tested the provided PoC scripts against our build of Caddy Web Server and at this time do not believe it is vulnerable to this attack.
Next Steps
We will continue to augment and test the PoC against our own software and expect to see more variations of this attack in the next few weeks.