Posted: June 3, 2026
Category: Security Advisory
Severity: High for public HTTP/2 endpoints

Reliable Penguin is aware of public reports regarding CVE-2026-49975, also referred to as the HTTP/2 Bomb vulnerability.

This issue may allow a remote attacker to exhaust server memory on affected HTTP/2-enabled web servers, potentially causing service disruption or denial of service. Public reporting indicates that the issue relates to HTTP/2 header compression behavior and may affect multiple web server and proxy implementations, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.

Current status

Reliable Penguin is reviewing managed server environments and applying appropriate mitigations.

At this point, no customer action is necessary.

We will provide updates as they become available.

What customers should do

No action is required from Reliable Penguin managed hosting customers at this time.

Customers with questions may open a support request through the Reliable Penguin help desk.

References

• The Hacker News: “New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare” , published June 3, 2026.
• Calif: “Codex Discovered a Hidden HTTP/2 Bomb” , published June 2, 2026.
• mod_http2 release notes: Version 2.0.41 release notes , noting a fix for cookie header accounting against LimitRequestFields.