Exploitation Summary
EIP tracks 8 public exploits for CVE-2026-49975. PoCs published by Unclecheng-li, mrx-arafat, fevar54.
AI-analyzed exploit summary This repository contains a functional Python-based PoC for CVE-2026-49975, an HTTP/2 Bomb vulnerability that exploits HPACK index-reference amplification combined with HTTP/2 flow-control stalling to trigger memory exhaustion on vulnerable servers. The exploit sends crafted HTTP/2 frames to induce excessive memory allocation and stall responses, leading to a denial-of-service condition.
Description
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
Exploits (8)
This repository contains a functional Python-based PoC for CVE-2026-49975, an HTTP/2 Bomb vulnerability that exploits HPACK index-reference amplification combined with HTTP/2 flow-control stalling to trigger memory exhaustion on vulnerable servers. The exploit sends crafted HTTP/2 frames to induce excessive memory allocation and stall responses, leading to a denial-of-service condition.
This repository contains a functional proof-of-concept exploit for CVE-2026-49975, an HTTP/2 denial-of-service vulnerability. The exploit leverages HPACK indexed references and flow-control window manipulation to exhaust server memory, targeting vulnerabilities in nginx, Apache httpd, Envoy, and other HTTP/2 implementations.
This repository contains a functional proof-of-concept exploit for CVE-2026-49975, an HTTP/2 Bomb vulnerability that combines HPACK Bomb and Slowloris-style techniques to cause a denial-of-service (DoS) by consuming server memory. The exploit includes a Python script that crafts malicious HTTP/2 frames to trigger the vulnerability, along with detection scripts and a Docker lab for testing.
This repository provides a detailed technical explanation of CVE-2026-49975, an HTTP/2 vulnerability affecting major web servers like Apache, nginx, and Envoy. It describes the attack mechanism combining HPACK compression bombs and window stalling to cause memory exhaustion and DoS.
This repository contains a functional HTTP/2 stream amplification PoC targeting CVE-2026-49975, which exploits memory exhaustion via crafted HEADERS frames with excessive internal references. The tool includes a web interface for launching attacks and monitoring results.
This repository contains a functional HTTP/2 denial-of-service exploit for CVE-2026-49975, leveraging HPACK compression bombs, slowloris flow control, and cookie fragmentation to exhaust server memory. The PoC includes both an attack script and a vulnerable test server for validation.
This repository provides a detailed technical explanation of CVE-2026-49975, an HTTP/2 vulnerability affecting major web servers like Apache, nginx, and Envoy. It describes the attack mechanism combining HPACK compression bombs and window stalling to cause memory exhaustion and DoS.
This repository contains a detection script for CVE-2026-49975, which identifies HTTP/2-enabled servers and flags potential exposure to the 'HTTP/2 Bomb' vulnerability. It does not exploit the vulnerability but scans for affected software versions and HTTP/2 support.
References (4)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H