Exploit for CVE-2026-49975

## https://sploitus.com/exploit?id=74A7BA4E-D496-587B-A72A-FA0BE663F994
# CVE-2026-49975 — HTTP/2 Bomb PoC

[![CVE](https://img.shields.io/badge/CVE-2026--49975-red)](https://vulners.com/cve/CVE-2026-49975)
[![Severity](https://img.shields.io/badge/CVSS-9.8-critical)](https://nvd.nist.gov/vuln/detail/CVE-2026-49975)
[![Python](https://img.shields.io/badge/python-3.8+-blue)](https://python.org)

Proof-of-concept exploit for CVE-2026-49975, a remote denial-of-service vulnerability in HTTP/2 server implementations. Discovered by Quang Luong (Calif Security Research), disclosed June 2, 2026.

> **For authorized security testing only. Do not use against infrastructure you do not own or have written permission to test.**

---

## How It Works

The attack chains two HTTP/2 protocol mechanisms:

**1. HPACK Indexed Reference Bomb**

HPACK (RFC 7541) lets senders reference previously-seen headers by index — usually one byte. The exploit inserts a nearly-empty header into the dynamic table once, then references it thousands of times. Each 1-byte wire reference forces the server to allocate ~70 bytes of internal bookkeeping per entry. No large values are involved, so "max decoded header size" limits never fire.

**2. HTTP/2 Flow-Control Window Stall**

By advertising a zero-byte receive window, the attacker prevents the server from sending its response or freeing any memory. Periodic 1-byte `WINDOW_UPDATE` frames reset the server's send timeout, keeping allocations pinned for as long as the connection is open.

**Result:** ~16 KB sent per stream → ~1.15 MB server RAM allocated and held per stream.

---

## Affected Servers

| Server | Amplification | Demo Impact | Status |
|--------|--------------|-------------|--------|
| Envoy 1.37.2 | ~5,700:1 | 32 GB in ~10s | No patch at disclosure |
| Apache httpd 2.4.67 | ~4,000:1 | 32 GB in ~18s | Fixed in mod_http2 v2.0.41 |
| nginx &1 | grep -E "ALPN|HTTP/2|server:"

# Vulnerable if:
# - ALPN: server accepted h2   (HTTP/2 enabled)
# - server: nginx/X.Y.Z        (where X.Y.Z < 1.29.8)
```

---

## Mitigations

**nginx** — upgrade to 1.29.8+ and add:
```nginx
http2 max_headers 1000;
```
Or disable HTTP/2 entirely:
```nginx
# Remove "http2" from listen directive
listen 443 ssl;
```

**Apache httpd** — upgrade mod_http2 to v2.0.41+. Interim: `Protocols http/1.1`

**IIS / Envoy / Pingora** — no patch available at time of writing. Disable HTTP/2 or front with a patched proxy.

**General (all servers):**
```bash
# Cap worker memory to limit blast radius
ulimit -v 2097152   # 2 GB per process
# Docker: --memory="2g" --memory-swap="2g"
```

---

## Technical Details

### HPACK Encoding

```
Dynamic table seed (incremental indexing, adds to index 62):
  0x40 | name_len | name | value_len | value
  = 0x40 0x06 "x-bomb" 0x00

Indexed reference to entry 62 (1 byte each):
  0x80 | 62 = 0xbe

Wire payload per stream = 9 bytes (seed) + N bytes (N references)
Server allocation per ref ≈ sizeof(ngx_table_elt_t) ≈ 70 bytes
```

### HTTP/2 Frame Sequence

```
Client → Server:
  PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n     (preface)
  SETTINGS [INITIAL_WINDOW_SIZE=0]      (stall setup)
  SETTINGS ACK                          (after reading server SETTINGS)
  HEADERS [stream 1]  ← bomb payload   (pseudo-headers + HPACK bomb)
  HEADERS [stream 3]  ← bomb payload
  ...
  WINDOW_UPDATE(1) per stream / 1s      (keep-alive stall)
```

---

## Files

| File | Description |
|------|-------------|
| `exploit-test.py` | Main PoC — multi-stream, continuous reconnect, nginx + classic modes |
| `SECURITY-REPORT-MIST.md` | Authorized assessment report for mist.ac.bd |
| `LICENSE` | MIT |

---

## References

- [CVE-2026-49975](https://vulners.com/cve/CVE-2026-49975)
- RFC 7541 §7.3 — HPACK Memory Consumption
- RFC 9113 §8.2.3 — Cookie header splitting
- [CVE-2016-6581](https://vulners.com/cve/CVE-2016-6581) — Original HPACK Bomb (Cory Benfield, 2016)
- [CVE-2025-53020](https://vulners.com/cve/CVE-2025-53020) — Apache HPACK 4000:1 (Gal Bar Nahum, 2025)