#1138794 nginx: HTTP/2 Bomb: Remote DoS against nginx

Package:
nginx
Source:
nginx
Description:
small, powerful, scalable web/proxy server
Submitter:
Benjamin Sonntag
Date:
2026-06-04 00:49:01 UTC
Severity:
normal
Tags:
#1138794#5
Date:
2026-06-03 20:58:26 UTC
From:
To:
Dear Maintainer,

I just found about this CVE here:
https://discourse.ifin.network/t/cve-2026-49975-http-2-bomb-remote-dos-against-most-major-web-servers/536

which applies to nginx as packaged by Debian Trixie and before (as soon as HTTP/2 is supported on Nginx)

Nginx added a max_headers directive to prevent the exploitation of this security issue here:
https://github.com/nginx/nginx/commit/365694160a85229a7cb006738de9260d49ff5fa2

I tested the POC (./hpack_bomb.py --host 127.0.0.1 --port 443 --connections 15) on a stock trixie nginx and it used 3.2G of memory immediately

I guess adding max_headers + changing the nginx default conf to put a sensible value there would be a good idea.

Thanks for your attention,

Benjamin
#1138794#10
Date:
2026-06-03 21:08:54 UTC
From:
To:
Hi,

The CVE is for apache httpd specific, so I'm removing this from the
subject. The CNA responsible for nginx has been asked about a nginx
specific assignment.

Regards,
Salvatore
#1138794#31
Date:
2026-06-04 00:39:15 UTC
From:
To:
Hello,
should be the default value. Source: https://github.com/nginx/nginx/pull/1116/changes