Share
## https://sploitus.com/exploit?id=4B051C78-13E6-52F9-A39E-4C7E49ACB51A
# HTTP/2 Bomb - CVE-2026-49975

A denial-of-service (DoS) proof of concept targeting HTTP/2 servers. By combining HPACK amplification with stream retention, a single machine with a modest network connection can render a vulnerable server unavailable within seconds.

## Vulnerability

- **CVE:** `CVE-2026-49975`
- **Title:** Apache HTTP Server: mod_http2 Denial of Service
- **Official Description:** A memory allocation with excessive size vulnerability (CWE-789) in the `mod_http2` module of Apache HTTP Server allows a denial-of-service attack through specially crafted HTTP requests.
- **Affected Versions:** Apache HTTP Server 2.4.17 through 2.4.67.
- **Impact:** The attack combines HPACK amplification with Slowloris-style connection retention to rapidly exhaust server memory and resources. A single attacker with a 100 Mbps connection may be sufficient to overwhelm a vulnerable server.
- **Discovery:** Quang Luong (Calif.IO) in collaboration with OpenAI Codex.

## Attack Overview

The exploit proceeds through several stages, as illustrated by its execution logs:

1. **TCP/TLS Connection Establishment**  
   Multiple concurrent TCP/TLS connections are opened to the target server.

2. **HTTP/2 Negotiation**  
   The client detects the maximum number of concurrent streams allowed by the server (typically 100 or 128).

3. **HPACK Priming**  
   Carefully crafted HTTP headers are sent to force the server to allocate excessively large HPACK compression tables, rapidly increasing memory consumption.

4. **Connection Retention**  
   Once the streams have been opened, the connections remain alive indefinitely, preventing the allocated memory from being released and eventually exhausting the server's available RAM.

## Testing Results and Observed Behavior

Testing was performed against multiple web servers using their default configurations.

| Web Server | Tested Version | RAM | Memory Exhaustion | Observed Behavior |
|------------|----------------|-----|-------------------|-------------------|
| **Envoy** | 1.37.2 | 32 GB | ~10 seconds | Successfully exhausted memory very quickly. |
| **Apache HTTP Server** | 2.4.67 | 32 GB | ~18 seconds | Stream limit typically 100. Standard attack progression through HPACK priming and indefinite connection retention. |
| **nginx** | 1.29.7 | 32 GB | ~45 seconds | Stream limit typically 128. Attack succeeds but requires more time to consume available memory. |
| **Microsoft IIS** | Not specified | 64 GB | ~45 seconds | May advertise unusually large stream limits such as `4294967297`. |
| **Non-vulnerable Targets** | Various | - | - | Immediate TLS failures or `TooManyStreamsError` when attempting to exceed the server's configured stream limit. |

## Common Errors

### `h2.exceptions.TooManyStreamsError`

Occurs when the value supplied to `--streams` exceeds the maximum concurrent streams supported by the server.

**Solution:** Probe the server's stream limit before starting the attack.

---

### `NameError: name 'SettingsAcknowledued' is not defined`

A simple typographical error in the PoC source code.

**Solution:** Replace:

```python
SettingsAcknowledued
```

with:

```python
SettingsAcknowledged
```

---

### `[SSL] unknown error`

Usually indicates that the target does not support HTTP/2 over TLS or is rejecting incoming connections.

---

### `EOF occurred in violation of protocol`

The remote server closed the connection unexpectedly.

This commonly occurs when the server begins to exhaust its resources and starts refusing new connections.

---

### `Invalid input ConnectionInputs.SEND_HEADERS`

The server closed the HTTP/2 connection before all request headers could be transmitted.

## Usage

The proof of concept is implemented as a Python script.

### Installation

```bash
git clone https://github.com/califio/http2-bomb.git
cd http2-bomb
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
```

### Example Commands

Basic attack using 10 connections and 100 streams:

```bash
python bomb.py example.com --streams 100 --connections 10
```

*(Requires the target to allow at least 100 concurrent streams per connection.)*

Automatic stream limit detection:

```bash
python bomb.py example.com --connections 10
```

Large-scale attack:

```bash
python bomb.py target.example.com --connections 50
```

High-volume connection test:

```bash
python h2bomb.py -t target.example.com:443 -c 1000
```

Very large-scale connection test:

```bash
python h2bomb.py -t example.com -c 20000
```

## Credits

- Original vulnerability research : **Quang Luong (Calif.IO)**
- Collaboration: **OpenAI Codex**

## Legal Disclaimer

This software is provided exclusively for security research, educational purposes, and testing systems for which you have explicit authorization.

Unauthorized use of this tool against systems you do not own or have permission to test may violate applicable laws and regulations. The authors and contributors assume no responsibility for any misuse or damage resulting from the use of this software.