Hi, can anyone tell if Tomcat is affected by CVE-2026-49975 (HTTP/2 Bomb)?
Reading https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb and https://github.com/califio/publications/tree/main/MADBugs/http2-bomb it looks like the attack and blast radius is very implementation specific.
If yes, the short term solution could be to disable HTTP/2. - Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
