HTTP/2 Bomb: A New Reminder That Availability Is Security

When discussing cybersecurity, the focus is often on data breaches and unauthorised access. However, service availability is equally critical. A recently disclosed vulnerability known as HTTP/2 Bomb (CVE-2026-49975) affects HAProxy deployments that process HTTP/2 traffic. The issue allows an attacker to trigger excessive resource consumption using specially crafted HTTP/2 requests, potentially leading to service degradation or denial of service. While the vulnerability does not provide direct access to systems or data, it highlights an important reality: even mature infrastructure components can become targets for attacks aimed at disrupting operations.

⚠️ Why This Matters For organisations running customer-facing applications, APIs, or microservices, availability is often just as important as confidentiality. A successful denial-of-service attack can result in: ▪️ Service interruptions ▪️ Degraded user experience ▪️ Increased infrastructure costs ▪️ Operational overhead during incident response As modern architectures increasingly rely on reverse proxies and load balancers, infrastructure resilience becomes a key part of security strategy.

✅ Recommended Actions Organisations should: ▪️ Review whether affected versions are deployed ▪️ Upgrade to vendor-provided patched releases ▪️ Validate HTTP/2 configurations and exposure ▪️ Monitor resource utilisation and traffic anomalies ▪️ Maintain a regular patch management process for critical infrastructure components