CyCognito has detailed an emerging denial-of-service risk affecting Apache HTTP Server deployments through CVE-2026-49975, a vulnerability tied to HTTP/2 memory exhaustion in the mod_http2 module. The issue, described by CyCognito as part of an attack technique nicknamed the “HTTP/2 Bomb,” allows a remote attacker to use maliciously crafted HTTP/2 requests to cause denial of service.
According to CyCognito, CVE-2026-49975 is classified as CWE-789, Memory Allocation with Excessive Size Value. The vulnerability carries a CVSS v3.1 base score of 7.5, which places it in the High category under the National Vulnerability Database scoring. CyCognito also noted that the Apache Software Foundation rated the issue Moderate in its own advisory.
The distinction matters because CyCognito emphasized that the vulnerability affects availability only. It does not involve loss of confidentiality or integrity, but it can lead to full loss of service. For organizations that rely on Apache HTTP Server for internet-facing services, CyCognito’s analysis frames the issue as a practical uptime risk rather than a data exposure event.
How the HTTP/2 Bomb Works
CyCognito’s analysis describes CVE-2026-49975 as an unauthenticated issue. Exploitation requires network access to a server with HTTP/2 enabled. That makes the condition especially relevant for internet-facing Apache HTTP Server assets, particularly those serving HTTP/2 over TLS on TCP/443.
CyCognito said an affected asset is typically an internet-facing web server or reverse proxy with HTTP/2 enabled. The attack technique described by CyCognito chains two legitimate HTTP/2 behaviors rather than relying on credentialed access.
The first behavior is an HPACK compression bomb, which causes the server to expand small compressed header inputs into much larger internal objects. The second behavior is an HTTP/2 flow-control hold, which CyCognito compared in spirit to a Slowloris-style approach. This keeps memory allocations alive instead of allowing the server to reclaim them.
In combination, CyCognito said the effect is rapid memory growth that can make a server unresponsive within seconds. Because the issue is centered on resource exhaustion, the impact is service disruption rather than unauthorized access to data.
Affected Apache HTTP Server Versions
The affected Apache HTTP Server versions identified by CyCognito are 2.4.17 through 2.4.67. The affected module is mod_http2, which handles HTTP/2 support in Apache HTTP Server.
CyCognito also pointed out that HTTP/2 is enabled by default in many modern configurations. As a result, some servers may be exposed even if an administrator did not deliberately opt in to HTTP/2. For security teams, that makes discovery and verification central to the response.
CyCognito’s warning is not limited to organizations that knowingly enabled HTTP/2 as part of a specific performance decision. It also applies to organizations that may have inherited web server configurations, deployed Apache HTTP Server in standard ways, or left externally exposed services running without revisiting whether HTTP/2 is advertised.
A Broader HTTP/2 Server Issue
CyCognito framed CVE-2026-49975 within a broader HTTP/2 issue affecting multiple server implementations. The “HTTP/2 Bomb” disclosure described a class of issue beyond Apache, including nginx, Microsoft IIS, Envoy, and Cloudflare Pingora.
CyCognito emphasized that CVE-2026-49975 is the Apache-assigned identifier for the Apache-side instance of this class. CyCognito also noted that nginx addressed related behavior in a separate release and that Envoy published its own advisory under a different identifier.
That broader context helps explain why CyCognito described the issue as an emerging threat rather than as a narrow Apache-only concern. Still, for Apache HTTP Server users, CyCognito’s key point is direct: affected versions of Apache HTTP Server with HTTP/2 enabled should be identified and remediated.
Exposure Across Key Sectors
CyCognito’s exposure data shows that observed affected assets were concentrated in several sectors. Communication Services accounted for 24.9% of observed assets, followed by Information Technology at 18.0% and Health Care at 17.0%.
CyCognito attributed the Communication Services concentration to the large, distributed web footprints common among media, telecom, and content businesses. These organizations operate infrastructure designed to serve traffic at scale, and CyCognito noted that HTTP/2 is the kind of performance-oriented protocol they may adopt early.
Still, CyCognito’s broader point is that exposure is not limited to one vertical. The remaining “Others” category accounted for 40.1% of observed assets. CyCognito said this reflects the reality that Apache httpd and nginx are general-purpose web infrastructure used across industries.
These servers may sit in front of applications, may have been provisioned years ago, and may not be frequently revisited once they are stable. CyCognito’s findings therefore point to a common exposure-management problem: organizations first need to know which internet-facing services advertise HTTP/2 before they can determine whether CVE-2026-49975 applies.
Patch Guidance for Apache Deployments
Fixes are available for Apache HTTP Server. CyCognito reported that the Apache Software Foundation released Apache HTTP Server 2.4.68 on June 8, 2026, and that the release fixes CVE-2026-49975 along with other vulnerabilities.
CyCognito described upgrading to Apache HTTP Server 2.4.68 or later as the direct remediation for affected Apache deployments. For organizations running affected Apache HTTP Server versions, that is the clearest corrective step identified in CyCognito’s advisory.
CyCognito cautioned, however, that distribution-level patching is uneven and should be verified per platform. The company said Red Hat issued an advisory with updated httpd packages for Red Hat Enterprise Linux, while Debian published a security update through its LTS channel.
CyCognito also noted that nginx-related behavior was addressed in a later release introducing a header-count limit, though that fix reportedly caused a regression with external modules and was reverted in at least one downstream package pending further investigation.
Because of that inconsistency, CyCognito recommends that defenders confirm patch availability and stability directly with their vendor or distribution. Where a stable patch is not available, CyCognito said the vulnerability should be treated as live and mitigated at the network layer.
Recommended Mitigation Steps
CyCognito’s recommended actions begin with inventory. The company advised organizations to inventory internet-facing Apache httpd and nginx servers with HTTP/2 enabled and identify endpoints that advertise h2 on TCP/443.
CyCognito also recommended capping concurrent HTTP/2 streams per connection at the proxy or WAF, constraining request header count and size limits where supported, and monitoring for connections that hold streams open alongside abnormal memory growth.
For exposed servers that cannot be patched promptly, CyCognito recommended disabling HTTP/2. That mitigation is especially relevant where patch availability or downstream package stability has not yet been confirmed.
CyCognito also said it has published an Emerging Threat Advisory for CVE-2026-49975 in the CyCognito platform and is actively researching enhanced detection capabilities for the vulnerability.
For organizations with public-facing Apache HTTP Server deployments, CyCognito’s advisory makes the priority clear: identify exposed HTTP/2 services, confirm whether affected Apache versions are present, apply Apache HTTP Server 2.4.68 or later where possible, and use network-layer mitigations where patching cannot be completed promptly.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.