๐ง๐ต๐ฒ ๐๐ง๐ง๐ฃ/๐ฎ ๐๐ผ๐บ๐ฏ: ๐ฆ๐ฒ๐ฟ๐๐ฒ๐ฟ ๐๐ผ๐ฆ
Your web servers face a new threat. One laptop kills them. It eats 32GB of RAM in 20 seconds. No botnet needed. No passwords needed.
The attack hits five major servers:
- nginx
- Apache
- Envoy
- Microsoft IIS
- Cloudflare Pingora
Two old bugs work together here. First, the attack inflates headers to fill memory. Second, it stalls the connection to lock the memory. The server crashes.
AI found this flaw. OpenAI Codex read the code. It saw how the bugs fit. Now AI reads patches to build exploits. The gap between a patch and an attack is gone.
Fix your servers:
- nginx: Upgrade to 1.29.8. Or turn off HTTP/2.
- Apache: Use mod_http2 2.0.41. Or use HTTP/1.1.
- Envoy: Upgrade to 1.35.11 or newer.
- IIS and Pingora: Turn off HTTP/2.
General safety tips:
- Limit header size.
- Limit header count.
- Set memory limits per worker.
Run tests on your setup now.
Source: https://dev.to/kkierii/http2-bomb-cve-2026-49975-the-hpack-flow-control-dos-and-how-to-patch-it-26ba