¡¾·ì϶¹«¸æ¡¿Apache mod_http2Ô¶³Ì»Ø¾ø·þÎñ·ì϶(CVE-2026-49975)

°ä²¼¹¦·ò 2026-06-04

Ò»¡¢·ì϶¸ÅÊö


0604·ì϶¸ÅÊö.png


Apache HTTP ServerÊÇApache Software Foundation°ä²¼µÄ¿ªÔ´Web·þÎñÆ÷Èí¼þ£¬¿í·ºÀûÓÃÓÚ»¥ÁªÍøÍøÕ¾¡¢ÆóÒµÃÅ»§¡¢API·þÎñ¼°ÔÆÆ½Ì¨³¡¾°¡£ÆäÖ§³ÖHTTP/1.1¡¢HTTP/2¡¢TLS¡¢·´Ïò´úÀí¼°Ä£¿é»¯À©´ó£¬¾ß±¸¸ß¿ÉÀ©´óÐÔÓë¿çƽ̨¸öÐÔ£¬ÊÇÈ«ÇòÖ÷Á÷Web»ù´¡ÉèÊ©×é¼þÖ®Ò»¡£


2026Äê6ÔÂ4ÈÕ£¬mansion88Ã÷Éý°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄ£¨VSRC£©¼à²âµ½Apache mod_http2Ô¶³Ì»Ø¾ø·þÎñ·ì϶¡£¸Ã·ì϶ԴÓÚHTTP/2ºÍ̸HPACKͷѹËõ»úÔìÓëÁ÷Á¿½ÚÔì´°¿Ú´¦ÖÃÂß¼­´æÔÚ×ÊÔ´ÖÎÀíȱµã£¬¹¥»÷Õß¿Éͨ¹ý»ú¹Ø´óÁ¿Indexed HeaderÒýÓò¢½áºÏÁã´°¿ÚINITIAL_WINDOW_SIZE×èÈûÏìÓ¦¿ªÊÍ£¬³ÖÐøÕ¼Ó÷þÎñÆ÷ÄÚ´æ×ÊÔ´¡£Î´¾­Éí·ÝÈÏÖ¤µÄÔ¶³Ì¹¥»÷Õß¿ÉÀûÓø÷ì϶ÒÔ¼«µÍ´ø¿í¿÷Ëð´¥·¢´ó¹æÄ£ÄÚ´æ·ÖÅ䣬µ¼Ö·þÎñ»úÄÜÑϳÁ½µÂ䡢ϵͳ½øÈëSwapÉõÖÁ·þÎñ²»³ÉÓ㬽ø¶øÓ°ÏìÒµÎñÂ½ÐøÐÔÓë¿ÉÓÃÐÔ¡£



¶þ¡¢Ó°ÏìÁìÓò



mod_http2 < 2.0.41

nginx < 1.29.8

Apache HTTP Server 2.4.x£¨Ä¬ÈÏÆôÓà mod_http2 ʱÊÜÓ°Ï죩

Envoy <= 1.37.2

Microsoft IIS£¨ÆôÓÃHTTP/2µÄ Windows Server 2025£©

Cloudflare Pingora <= 0.8.0£¨¹«¿ª×êÑÐÑéÖ¤°æ±¾£©



Èý¡¢°²È«´ëÊ©



3.1 Éý¼¶°æ±¾


²¿ÃÅÊÜÓ°Ïì×é¼þ¹Ù·½ÒѰ䲼½¨¸´²¹¶¡»ò»º½â¸üУ¬½¨ÒéÓû§¾¡¿ìʵÏÖÉý¼¶¡£

mod_http2 >= 2.0.41

nginx >= 1.29.8

Apache HTTP Server Óû§½¨Ò鹨עºóÐø2.4.xÕýʽ°²È«°æ±¾°ä²¼Çé¿ö£¬²¢È·ÈÏÒѼ¯³É mod_http2 v2.0.41 »òÒÔÉϽ¨¸´°æ±¾¡£


3.2 һʱ´ëÊ©


ÈôÁÙʱÎÞ·¨Éý¼¶£¬½¨Òé²ÉÈ¡ÒÔÏ´ëÊ©£º

½ûÓÃHTTP/2ºÍ̸£¬½ö±£ÁôHTTP/1.1

Apache HTTP Server ÅäÖãº

Protocols http/1.1

nginx ÅäÖãº

http2 off

Ï޶ȵ¥ÒªÇóHeader×Ö¶ÎÊýÁ¿¼°Cookie×Ö¶ÎÊýÁ¿

½µµÍ LimitRequestFieldSize µÈ Header ´óÓ×ÏÞ¶È£¨½ö¶Ô Apache ÓÐЧ£©

ÔÚÌìǵ CDN¡¢WAF »ò·´Ïò´úÀí²ãÆôÓà Header ÊýÁ¿ÏÞ¶È¡¢Òì³£ÒªÇó¹ýÂ˼°ÏνÓËãÕÊ»úÔì

ÉèÖà Worker ¹ý³ÌÄÚ´æÉÏÏÞ£¨cgroups¡¢ulimit »òÈÝÆ÷ÏÞ¶È£©£¬Ô¤·ÀÄÚ´æÕ¼Óùý¸ß

¼à¿Ø HTTP/2 Òì³£Ïνӡ¢Á÷¿Ø´°¿Ú¡¢Worker ÄÚ´æÕ¼ÓÃºÍ Swap ʹÓÃÇé¿ö

¶Ô IIS¡¢Envoy¡¢Cloudflare Pingora Óû§£ºÈô¹Ù·½²¹¶¡ÉÐδ°ä²¼£¬½¨Òéһʱ½ûÓà HTTP/2£¬»òÔÚǰÖôúÀí¡¢CDN¡¢WAF ²ãÖ´ÐÐ Header ÊýÁ¿ÏÞ¶È¡¢Ïνӳ¬¼¾½ÚÔì¼°×ÊÔ´Õ¼ÓÃÏÞ¶ÈÕ½Êõ¡£


3.3 ͨÓý¨Òé


¶¨ÆÚ¸üÐÂϵͳ²¹¶¡£¬Ï÷¼õϵͳ·ì϶£¬ÌáÉý·þÎñÆ÷µÄ°²È«ÐÔ¡£

¼ÓǿϵͳºÍÍøÂçµÄ½Ó¼û½ÚÔ죬Åú¸Ä·À»ðǽսÊõ£¬¹Ø¹Ø·Ç±ØÒªµÄÀûÓö˿ڻò·þÎñ£¬Ï÷¼õ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Â¶³öµ½¹«Íø£¬Ï÷¼õ¹¥»÷Ãæ¡£

ʹÓÃÆóÒµ¼¶°²È«²úÆ·£¬ÌáÉýÆóÒµµÄÍøÂ簲ȫ»úÄÜ¡£

¼ÓǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬ÆôÓöà³É·ÖÈÏÖ¤»úÔìºÍ×îÓ×ȨÏÞ×¼Ôò£¬Óû§ºÍÈí¼þȨÏÞӦά³ÖÔÚ×îµÍÏÞ¶È¡£

ÆôÓÃÇ¿ÃÜÂëÕ½Êõ²¢ÉèÖÃΪ¶¨ÆÚÅú¸Ä¡£


3.4 ²Î¿¼Á´½Ó


https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb/

https://github.com/califio/publications/tree/main/MADBugs/http2-bomb