Description

A memory exhaustion vulnerability in nginx's HTTP/2 implementation allows a remote unauthenticated attacker to cause denial of service by combining HPACK decompression amplification with flow-control stalling. Indexed header references consume far more server memory than their wire size, while INITIAL_WINDOW_SIZE=0 with periodic WINDOW_UPDATE frames hold allocated memory open indefinitely. The attack bypasses nginx's flood detection as traffic remains within valid protocol limits. Affected versions include nginx up to 1.29.7; fixed in 1.29.8.

Remediation

References

CVE-2026-49975

Related Vulnerabilities

Moodle Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2016-7038)

MediaWiki Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2021-36129)

Drupal Core 6.x Multiple Vulnerabilities (6.0 - 6.3)

Oracle Database Server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2024-21066)

WordPress Plugin Modula Image Gallery Cross-Site Scripting (2.2.4)

Severity

High

Classification

CVE-2026-49975 CWE-789

Tags

Missing Update Known Vulnerabilities