What Happened
On June 3, 2026, security researchers publicly disclosed CVE-2026-49975, a remote denial-of-service vulnerability affecting nearly every major web server in use today. Researchers named it HTTP/2 Bomb because of how the attack works: a single attacker seeds an HTTP/2 dynamic header table with one entry, then sends thousands of one-byte references to that entry. Each byte costs the attacker almost nothing. Each reference forces the targeted server to allocate between 70 and 4,000 bytes of memory to track it. Against Apache httpd and Envoy, a single connection on a 100 Mbps link consumes and holds 32 GB of server memory in approximately 20 seconds, effectively crashing the process.
The flaw was discovered by OpenAI Codex and disclosed through coordinated vulnerability reporting. nginx addressed the issue in version 1.29.8 by introducing a new max_headers directive. Apache patched the flaw in mod_http2 version 2.0.41 by counting cookie fragments against existing request field limits. At the time of public disclosure, Microsoft IIS, Envoy, and Cloudflare Pingora had no patches available. Their maintainers were notified and are working on fixes. Where patching is not yet possible, researchers recommend disabling HTTP/2, enforcing hard limits on header counts, and applying memory limits to worker processes.
The CVE was published by The Hacker News on June 3, 2026. Technical details on the header table amplification mechanism were published on the oss-security mailing list the same day. The Hacker News
Why This Matters for Canadian Organizations
Canadian hosting providers, managed service providers, and government web infrastructure run nginx and Apache at scale. A significant share of Canadian federal and provincial government websites, municipal portals, healthcare patient portals, and financial services platforms sit behind these servers, often without active memory-limit enforcement on web worker processes. HTTP/2 is enabled by default on most modern server deployments, meaning the attack surface is broad. An unauthenticated attacker with any internet connection can bring down a web server, disrupt service delivery, and in some cases force failover to less-protected infrastructure.
For organizations still running IIS on Windows Server, or deploying Envoy as an API gateway in Kubernetes clusters — which is common in Canadian cloud-native government digital services and financial services applications — no patch exists yet. Those environments are fully exposed until vendors ship fixes. The attack requires no authentication and leaves minimal trace in access logs because the malicious connection looks like normal HTTP/2 traffic until memory is exhausted. PIPEDA and provincial public-sector privacy laws require organizations to protect personal data and report breaches caused by inadequate security controls. A service disruption that exposes backend systems to secondary attack paths creates notification obligations under those frameworks.
What to Do
If you run nginx, update to version 1.29.8 immediately and review the new max_headers directive configuration. If you run Apache with mod_http2, update to mod_http2 2.0.41 or later. For IIS and Envoy deployments where patches are unavailable, disable HTTP/2 at the load balancer or reverse proxy layer until vendor fixes arrive. Apply OS-level memory limits to web server worker processes to cap the blast radius of any single connection. For Kubernetes environments using Envoy as a service mesh or API gateway, implement resource limits on sidecar containers. Security teams should review Canadian Centre for Cyber Security guidance and monitor for vendor advisories from Microsoft and the Envoy project. Organizations subject to PIPEDA or PHIPA should document the vulnerability, the interim mitigation applied, and the date patches are deployed.
