// projects / HTTP2BombCheck

HTTP/2 Bomb Check

Check whether a web server is vulnerable to CVE-2026-49975 by reading the Server header it returns.

Private, loopback and cloud metadata addresses are not allowed.

Protected by reCAPTCHA · Privacy · Terms

What is CVE-2026-49975?

Known as the HTTP/2 Bomb, it chains an HPACK decompression bomb (≈ 4,000× amplification) with Slowloris-style flow-control retention. It exhausts the server’s memory with as little as 100 Mbps of bandwidth — a home PC is enough.

Known affected servers

  • Apache HTTP Server < 2.4.64 (patched in 2.4.64, late May 2026)
  • NGINX pre-April 2026 (check the F5 advisory)
  • Microsoft IIS — no public patch
  • Envoy — no public patch
  • Cloudflare Pingora — no public patch

This check relies solely on the Server header advertised by the host. A server may have been patched through a module, a WAF or a load balancer without the header reflecting it, and vice versa. Treat the result as an indicator, not an audit.