RHSB-2026-007 HTTP/2 HPACK Denial of Service - httpd, nginx, Envoy (CVE-2026-49975, CVE-2026-47774) - "HTTP/2 Bomb"

Public Date: June 6, 2026, 17:15
Updated June 6, 2026, 17:15

Was this information helpful?

Feedback cancelled

Ongoing Status
Important Impact

Executive Summary

Multiple denial-of-service vulnerabilities have been discovered in HTTP/2 server implementations. The vulnerabilities target HPACK, the header compression scheme in HTTP/2, where a small request can trigger large memory allocations on the server. These have been assigned CVE-2026-49975 (httpd), CVE-2026-47774 (Envoy), and nginx (no CVE assigned yet). All have been rated with a severity impact of Important. Other implementations are also impacted, but are not utilized in Red Hat products.

The investigation is ongoing and this bulletin will be updated as new information emerges. Log in with your Red Hat account, then click the "Follow" button below to be notified of updates.

Affected Products

The following Red Hat product versions are directly affected:

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 10
  • Red Hat OpenShift Service Mesh 2
  • Red Hat OpenShift Service Mesh 3

Further, any Red Hat product which is supported on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted. This includes

  • Product containers that are based on the RHEL or UBI container images. These images are updated regularly, and container health indicating whether a fix to this flaw is available can be seen in the Container Health Index, part of the Red Hat Container Catalog. In addition, any customer containers should be rebuilt when the base images are updated.
  • Products that pull packages from the RHEL channel (this includes layered products such as Red Hat OpenShift Container Platform, Red Hat OpenStack Platform, Red Hat Virtualization, and others). Please ensure that the underlying HTTP/2 servers are current in these product environments.

Mitigation

Overall Guidance

Disabling HTTP/2 support is the only known mitigation at this time. Further component-specific guidance will be provided as the investigation progresses.

Apache httpd (CVE-2026-49975)

Warning: This change will force httpd to only support the HTTP/1.1 protocol.

Add the following line into the configuration of a given virtual host:

Protocols http/1.1

The httpd service must be restarted for this change to take effect:

systemctl restart httpd

nginx

Add the following entry into the configuration file:

http2 off;

Envoy (CVE-2026-47774)

Mitigation guidance is being developed and will be provided in a future update to this bulletin.

References

https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb

Was this information helpful? Your feedback is valuable!

Feedback cancelled

Comments