The HTTP/2 Bomb: One Client, 32GB of Server Memory, 20 Seconds.

One Byte In, One Full Allocation Out

CVE-2026-49160, disclosed in Microsoft's June 2026 Patch Tuesday, is a denial-of-service vulnerability in HTTP/2's HPACK header compression scheme. Researchers call it the 'HTTP/2 Bomb.' The technique combines a compression bomb targeting HPACK with a Slowloris-style connection hold that prevents the server from freeing memory. One byte on the wire becomes one full header allocation on the server, repeated thousands of times per request.

Against Apache httpd and Envoy, a single client on a 100 Mbps connection can consume and hold 32GB of server memory in roughly 20 seconds. Common limits on decoded header size do not stop the attack because the exploit targets memory consumed by server-side bookkeeping, not decoded header values.

Why Legacy CMS Servers Are the Softest Targets

The HTTP/2 Bomb affects every web server that supports HTTP/2. But not every server has the same resilience. A WordPress site running on a shared hosting plan with 512MB–1GB of RAM reaches memory exhaustion in seconds. A static site served from a CDN edge node with auto-scaling never runs a vulnerable web server process at all.

This is the architectural divide that WebPulse measures. Legacy CMS frameworks require a persistent application server — Apache or NGINX running PHP-FPM — that must be online, memory-resident, and processing HTTP/2 connections. Modern static-first frameworks deploy to edge networks where the CDN absorbs the protocol-level attack. The origin server either doesn't exist or handles only API calls behind rate limiting.

The Mitigation Story Is Also a Framework Story

The pattern repeats with every infrastructure-level vulnerability: the more abstraction between the application and the protocol layer, the faster the mitigation. Framework choice determines not just the application attack surface but the infrastructure attack surface.