[Pkg-nginx-maintainers] Bug#1138794: CVE-2026-49975: HTTP/2 Bomb: Remote DoS against most major web servers
Benjamin Sonntag
benjamin at octopuce.fr
Wed Jun 3 21:58:26 BST 2026
Package: nginx
Version: 1.26.3-3+deb13u5
Severity: important
Tags: upstream
Dear Maintainer,
I just found about this CVE here:
https://discourse.ifin.network/t/cve-2026-49975-http-2-bomb-remote-dos-against-most-major-web-servers/536
which applies to nginx as packaged by Debian Trixie and before (as soon as HTTP/2 is supported on Nginx)
Nginx added a max_headers directive to prevent the exploitation of this security issue here:
https://github.com/nginx/nginx/commit/365694160a85229a7cb006738de9260d49ff5fa2
I tested the POC (./hpack_bomb.py --host 127.0.0.1 --port 443 --connections 15) on a stock trixie nginx and it used 3.2G of memory immediately
I guess adding max_headers + changing the nginx default conf to put a sensible value there would be a good idea.
Thanks for your attention,
Benjamin
-- System Information:
Debian Release: 13.5
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-30-amd64 (SMP w/4 CPU threads)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nginx depends on:
ii iproute2 6.15.0-1
ii libc6 2.41-12+deb13u3
ii libcrypt1 1:4.4.38-1
ii libpcre2-8-0 10.46-1~deb13u1
ii libssl3t64 3.5.6-1~deb13u1
ii nginx-common 1.26.3-3+deb13u5
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
nginx recommends no packages.
nginx suggests no packages.
-- no debconf information
More information about the Pkg-nginx-maintainers
mailing list