Stefan,
On 6/4/26 4:22 PM, Stefan Mayr wrote:
can anyone tell if Tomcat is affected by CVE-2026-49975 (HTTP/2 Bomb)?
I was looking at this today and getting ready to review the past h2
fixes in Tomcat.
This recently-reported "vulnerability" is basically two separate,
previously-reported issues that can affect http/2: HPACK compression
bomb and Slowloris.
Tomcat has separately fixed related issues in the past:
1. Excessive stream count (CVE-2025-53506)
2. Excessive header count (CVE-2024-34750)
3. Late stream reset when limits exceeded (CVE-2024-24549)
Slowloris is always an "issue" but that can be handled with appropriate
timeouts. It's always difficult to protect against this kind of attack
when you also have legitimate clients who are just naturally slow.
Just remember: every request to a web server is basically an attack. The
only thing that makes something "bad" is if it's worse than normal users
hammering-away on your server with legitimate traffic.
Reading https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb and
https://github.com/califio/publications/tree/main/MADBugs/http2-bomb it
looks like the attack and blast radius is very implementation specific.
If yes, the short term solution could be to disable HTTP/2.
Feel free to disable http/2, but my analysis is that Tomcat is as
protected as it can be at this point. I don't believe Tomcat is affected
by CVE-2026-49975.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
