Nginx Memory Allocation with Excessive Size Value Vulnerability - CVE-2026-49975

A memory exhaustion vulnerability in nginxs HTTP/2 implementation allows a remote unauthenticated attacker to cause denial of service by combining HPACK decompression amplification with flow-control stalling. Indexed header references consume far more server memory than their wire size while INITIAL_WINDOW_SIZE0 with periodic WINDOW_UPDATE frames hold allocated memory open indefinitely. The attack bypasses nginxs flood detection as traffic remains within valid protocol limits. Affected versions include nginx up to 1.29.7 fixed in 1.29.8.