Nginx Memory Allocation with Excessive Size Value Vulnerability (CVE-2026-49975)
Description
A memory exhaustion vulnerability in nginx's HTTP/2 implementation allows a remote unauthenticated attacker to cause denial of service by combining HPACK decompression amplification with flow-control stalling. Indexed header references consume far more server memory than their wire size, while INITIAL_WINDOW_SIZE=0 with periodic WINDOW_UPDATE frames hold allocated memory open indefinitely. The attack bypasses nginx's flood detection as traffic remains within valid protocol limits. Affected versions include nginx up to 1.29.7; fixed in 1.29.8.