HTTP/2 Bomb Exploit (CVE-2026-49975) Discovered by OpenAI's Codex Can Knock Web Servers Offline in Seconds

A new exploit, CVE-2026-49975, discovered by OpenAI's Codex, can rapidly take down web servers running default HTTP/2 configurations by chaining a compression bomb with Slowloris-style connection holding. The flaw requires no authentication or special privileges.

Context

CVE-2026-49975 is a new security vulnerability identified by OpenAI's Codex, which combines elements of a compression bomb with tactics similar to the Slowloris attack. The flaw allows attackers to target web servers without needing authentication or special access, making it accessible for potential misuse. HTTP/2 is widely adopted for its performance benefits, which increases the urgency of addressing this issue.

Why it matters

The discovery of CVE-2026-49975 is significant because it poses a serious threat to web servers using default HTTP/2 configurations. This exploit can lead to widespread service disruptions, affecting businesses and users reliant on these servers. Understanding and addressing such vulnerabilities is crucial for maintaining internet stability and security.

Implications

The implications of CVE-2026-49975 are broad, affecting not only web server operators but also end-users who rely on these services. Businesses may face downtime and financial losses due to service interruptions. Increased awareness and proactive measures will be necessary to protect against such vulnerabilities in the future.

What to watch

Near-term developments will likely include responses from web server providers and security experts as they assess the vulnerability. Updates or patches may be released to mitigate the risk associated with this exploit. Monitoring for potential attacks using this exploit will be essential in the coming weeks.