テストした5つの実装で横断的に脆弱性があったと。「But when five independent implementations all read that section and still ship the same class of bug, the defect is in the spec.」そうね。
6: nilab2026/06/05 15:41
"We’re publishing HTTP/2 Bomb, a remote denial-of-service exploit against most major web servers" "We disclosed to Apache on May 27, and Stefan Eissing fixed it on the same day by making cookie headers count against LimitRequestFields. The issue was assigned CVE-2026-49975."
Codex Discovered a Hidden HTTP/2 Bomb
もー最近セキュリティ更新多すぎてだるすぎ😩
人間が10年間気づかなかったゼロデイの組み合わせをAIが発見したの、地味にセキュリティ界のパラダイムシフトでは。パッチ当てなきゃ
こんなんいっぱいあるんやろな
CodexがHTTP/2 Bombを発見。HPACKの1-byte indexed referenceとzero-byte flow-control windowを組み合わせ、nginx、Apache、IIS、Envoy、PingoraでDoSを誘発。ApacheではCVE-2026-49975。
テストした5つの実装で横断的に脆弱性があったと。「But when five independent implementations all read that section and still ship the same class of bug, the defect is in the spec.」そうね。
"We’re publishing HTTP/2 Bomb, a remote denial-of-service exploit against most major web servers" "We disclosed to Apache on May 27, and Stefan Eissing fixed it on the same day by making cookie headers count against LimitRequestFields. The issue was assigned CVE-2026-49975."