Control: retitle -1 nginx: HTTP/2 Bomb: Remote DoS against nginx Control: tags -1 + security fixed-upstream
Hi, On Wed, Jun 03, 2026 at 10:58:26PM +0200, Benjamin Sonntag wrote: > Package: nginx > Version: 1.26.3-3+deb13u5 > Severity: important > Tags: upstream > > Dear Maintainer, > > I just found about this CVE here: > https://discourse.ifin.network/t/cve-2026-49975-http-2-bomb-remote-dos-against-most-major-web-servers/536 > > which applies to nginx as packaged by Debian Trixie and before (as soon as > HTTP/2 is supported on Nginx) > > Nginx added a max_headers directive to prevent the exploitation of this > security issue here: > https://github.com/nginx/nginx/commit/365694160a85229a7cb006738de9260d49ff5fa2 > > I tested the POC (./hpack_bomb.py --host 127.0.0.1 --port 443 --connections > 15) on a stock trixie nginx and it used 3.2G of memory immediately > > I guess adding max_headers + changing the nginx default conf to put a > sensible value there would be a good idea. > > Thanks for your attention, The CVE is for apache httpd specific, so I'm removing this from the subject. The CNA responsible for nginx has been asked about a nginx specific assignment. Regards, Salvatore
