LiquidFiles Documentation
LiquidFiles Documentation

CVE-2026-49975 — HTTP/2 Bomb

On the 3rd of June, 2026, the "HTTP/2 Bomb" attack was published. It is a remote, unauthenticated denial-of-service attack against the default HTTP/2 configuration of most major web servers, including Nginx, Apache httpd, Microsoft IIS, Envoy and Cloudflare Pingora. It is tracked as CVE-2026-49975 and has been scored as high as 9.8 (CRITICAL) by security scanners.

The attack combines two HTTP/2 protocol features: an HPACK indexed-reference amplification, where each 1-byte header reference on the wire forces the server to allocate roughly 70 bytes of internal bookkeeping (bypassing decoded-header-size limits, because no large header values are involved), and a flow-control stall, where the attacker advertises a zero-byte receive window so the server can neither respond nor free the allocated memory. Roughly 16 KB sent per stream pins about 1 MB of server memory indefinitely, allowing a single attacker on a modest connection to exhaust the server's memory.

A note on the CVE number: CVE-2026-49975 was formally assigned to Apache HTTP Server. Nginx fixed the same attack class without a separate CVE by introducing the max_headers directive in Nginx 1.29.8, which caps the number of header fields per request. Security scanners commonly report the issue against any affected web server under this CVE number.

Impact to LiquidFiles

Does this impact LiquidFiles — Yes.

LiquidFiles versions before v4.2.11 ship Nginx 1.26.0 with HTTP/2 enabled, which does not limit the number of header fields per request and is therefore vulnerable to this attack. An unauthenticated attacker could exhaust the appliance's memory and make it unresponsive until the attack stops or the system is restarted.

This is a denial of service attack only — it does not expose any data, does not provide any access, and does not compromise the system in any other way.

This is fixed in LiquidFiles v4.2.11

LiquidFiles v4.2.11 updates the bundled Nginx to 1.30.2 and explicitly sets max_headers 1000;, which caps the number of header fields per request and defeats the amplification that this attack depends on.

Please update to LiquidFiles v4.2.11 or later. No other action is required — the protection is built into the standard configuration and applies automatically after the update.