On 04/06/2026 21:46, Christopher Schultz wrote:
<snip/>
Just remember: every request to a web server is basically an attack. The
only thing that makes something "bad" is if it's worse than normal users
hammering-away on your server with legitimate traffic.
Big +1 to this.
As an aside, we are seeing an increasing number of (largely AI
generated) reports that seem to miss that point.
Reading https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
and https://github.com/califio/publications/tree/main/MADBugs/http2-
bomb it looks like the attack and blast radius is very implementation
specific.
If yes, the short term solution could be to disable HTTP/2.
Feel free to disable http/2, but my analysis is that Tomcat is as
protected as it can be at this point. I don't believe Tomcat is affected
by CVE-2026-49975.
Agreed. Various Tomcat limits should protect against this attack but the
key one looks to be maximum header size which is set at 8KiB.
Using the terminology of the report, Tomcat has fairly low "per-entry
book-keeping" but Tomcat also explicitly takes account of that overhead
when calculating usage against the limit.
To be sure, I took the PoC that was provided for httpd and ran it
against a default Tomcat build of 12.0.x HEAD. The connections were
closed down pretty much instantly for excessive headers.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
