Vulnerabilities4 min read
HTTP/2 Bomb Exploit Crashes Servers in Seconds — 880K Sites Vulnerable
CVE-2026-49975 combines HPACK compression abuse with Slowloris-style holds to exhaust 32GB of server memory in 10 seconds. nginx and Apache patched; IIS, Envoy remain exposed.
Marcus ChenJun 4, 2026