CyCognito has published an emerging threat analysis on CVE-2026-49975, an Apache HTTP Server vulnerability that can allow denial of service through memory exhaustion in HTTP/2 handling. The vulnerability affects the mod_http2 module and is associated with a technique CyCognito identified as the “HTTP/2 Bomb.”
In CyCognito’s description, CVE-2026-49975 is not a data theft issue and is not presented as a compromise of confidentiality or integrity. Instead, the risk is availability. The vulnerability can cause full loss of service by forcing rapid memory growth on affected servers.
CyCognito reported that the issue has a CVSS v3.1 base score of 7.5, categorized as High by the National Vulnerability Database, while the Apache Software Foundation rated the issue Moderate in its own advisory. CyCognito also identified the weakness as CWE-789, Memory Allocation with Excessive Size Value.
The result is a vulnerability that security teams need to treat as an uptime and resilience issue. CyCognito’s analysis focuses on exposed HTTP/2 services, affected Apache HTTP Server versions, and practical steps organizations can take to identify and reduce risk.
Why Availability Is the Central Risk
CVE-2026-49975 is centered on service disruption. CyCognito’s advisory makes clear that the impact is availability, not confidentiality or integrity. That means the vulnerability is not described as a path to steal data or modify systems. Instead, it can prevent affected services from remaining responsive.
CyCognito said exploitation can cause full loss of service. The company described a condition in which memory growth happens rapidly enough to make a server unresponsive within seconds. For public-facing services, that type of denial-of-service condition can still be serious because availability is often central to web infrastructure.
CyCognito also described the vulnerability as unauthenticated. Exploitation requires network access to a server with HTTP/2 enabled. Because affected assets are typically internet-facing web servers or reverse proxies, the risk depends heavily on whether HTTP/2 is externally reachable.
Where HTTP/2 Exposure Can Appear
The affected component is Apache HTTP Server’s mod_http2 module. CyCognito identified the affected Apache HTTP Server versions as 2.4.17 through 2.4.67. The company said the typical affected asset is an internet-facing web server or reverse proxy with HTTP/2 enabled.
In many deployments, that means TLS-terminated HTTP/2 served on TCP/443. CyCognito also noted that HTTP/2 is enabled by default in many modern configurations, which means exposure may exist even where a team did not intentionally enable it for a specific project.
That point makes the issue an exposure-management problem as much as a patching problem. Organizations first need to know which externally reachable services advertise h2 before they can confirm whether affected Apache HTTP Server versions are present.
CyCognito’s recommended inventory step reflects that need. The company advised defenders to identify internet-facing Apache httpd and nginx servers with HTTP/2 enabled and to find endpoints advertising h2 on TCP/443.
How Memory Exhaustion Develops
The attack technique described by CyCognito combines two legitimate HTTP/2 behaviors. One is an HPACK compression bomb. CyCognito explained that this causes the server to expand small compressed header inputs into much larger internal objects.
The second is an HTTP/2 flow-control hold. CyCognito compared this in spirit to a Slowloris-style approach because it keeps allocations alive instead of allowing the server to reclaim them.
By combining expansion with retention, the attack can drive memory growth. CyCognito said the result can be a server becoming unresponsive within seconds. The issue therefore comes from how resources are consumed and held during HTTP/2 handling.
CyCognito connected this behavior to the “HTTP/2 Bomb” disclosure, which described a broader class of issue across multiple server implementations. CVE-2026-49975 is the Apache-assigned identifier for the Apache HTTP Server instance of that class.
Exposure Patterns Across Industries
CyCognito’s exposure data showed affected assets across several sectors. Communication Services represented the largest observed share at 24.9%. Information Technology followed at 18.0%, and Health Care accounted for 17.0%.
CyCognito attributed the Communication Services concentration to the large, distributed web footprints common among media, telecom, and content businesses. These organizations run infrastructure built to serve traffic at scale, and CyCognito noted that HTTP/2 is the kind of performance-oriented protocol they may adopt early.
The sector data does not mean the issue is limited to those categories. CyCognito reported that 40.1% of observed affected assets fell into the “Others” category. The company said that reflects the broad use of Apache httpd and nginx as general-purpose web infrastructure across industries.
That broad distribution is part of the challenge. Apache HTTP Server and nginx may sit in front of applications, serve as reverse proxies, or support public services that have been stable for years. CyCognito’s analysis indicates that organizations need visibility into these internet-facing services before they can assess whether CVE-2026-49975 applies.
Patch Availability and Distribution Gaps
CyCognito said fixes are available for Apache HTTP Server. The Apache Software Foundation released Apache HTTP Server 2.4.68 on June 8, 2026, and CyCognito identified upgrading to version 2.4.68 or later as the direct remediation for affected Apache deployments.
CyCognito also noted that the release addressed CVE-2026-49975 alongside a batch of other vulnerabilities. For teams running Apache HTTP Server versions 2.4.17 through 2.4.67, CyCognito’s advisory points to version 2.4.68 or later as the fix.
The patching picture is not uniform across every platform, according to CyCognito. The company said Red Hat issued an advisory with updated httpd packages for Red Hat Enterprise Linux, and Debian published a security update through its LTS channel.
CyCognito also noted that related nginx behavior was addressed in a later release that introduced a header-count limit, but that fix reportedly caused a regression with external modules and was reverted in at least one downstream package pending further investigation. CyCognito added that nginx did not assign a separate CVE for the issue.
Because downstream fixes may vary, CyCognito advised defenders to verify patch availability and stability directly with their vendor or distribution rather than assuming a fix is already present. Where a stable patch is not available, CyCognito said organizations should treat the vulnerability as live and apply network-layer mitigation.
What Security Teams Should Prioritize
CyCognito’s recommended actions are operational and exposure-focused. The first priority is to inventory internet-facing Apache httpd and nginx servers with HTTP/2 enabled. The second is to identify endpoints that advertise h2 on TCP/443.
CyCognito also recommended limiting concurrent HTTP/2 streams per connection at the proxy or WAF, constraining request header count and size limits where supported, and monitoring for connections that hold streams open alongside abnormal memory growth.
Where exposed servers cannot be patched promptly, CyCognito recommended disabling HTTP/2. That gives organizations a mitigation path when an immediate upgrade to Apache HTTP Server 2.4.68 or later is not available.
CyCognito also said it has published an Emerging Threat Advisory for CVE-2026-49975 in the CyCognito platform and is actively researching enhanced detection capabilities.
For security teams, CyCognito’s message is that the response starts with visibility. Organizations need to know which internet-facing servers advertise HTTP/2, determine whether affected Apache HTTP Server versions are present, apply Apache HTTP Server 2.4.68 or later when available, and use mitigations where patching is not yet confirmed.
