Overview
- Calif publicly disclosed the exploit and released proof-of-concept code on Wednesday, demonstrating the attack and a bypass for servers that cap header-field counts.
- The attack uses HPACK, HTTP/2’s header-compression system, to turn tiny on-the-wire values into large per-header server allocations while a zero-byte flow-control window prevents the server from freeing that memory.
- Calif showed a single client on a 100 Mbps link can exhaust tens of gigabytes of RAM in seconds, with tests hitting roughly 32 GB against Apache and Envoy in about 20 seconds.
- NGINX and Apache have issued fixes — NGINX 1.29.8 adds a max_headers limit and Apache fixed the issue in mod_http2 2.0.41 (CVE-2026-49975) — while Microsoft IIS, Envoy, and Cloudflare Pingora had no patch available at the time of reporting.
- Because the exploit composes two long-known techniques and was found using OpenAI’s Codex, security teams are urged to apply vendor updates, disable HTTP/2 where patches are unavailable, or place proxies that enforce strict header limits to protect an estimated 880,000 affected sites.