¡¾·ì϶¹«¸æ¡¿Apache mod_http2Ô¶³Ì»Ø¾ø·þÎñ·ì϶(CVE-2026-49975)
°ä²¼¹¦·ò 2026-06-04Ò»¡¢·ì϶¸ÅÊö

Apache HTTP ServerÊÇApache Software Foundation°ä²¼µÄ¿ªÔ´Web·þÎñÆ÷Èí¼þ£¬¿í·ºÀûÓÃÓÚ»¥ÁªÍøÍøÕ¾¡¢ÆóÒµÃÅ»§¡¢API·þÎñ¼°ÔÆÆ½Ì¨³¡¾°¡£ÆäÖ§³ÖHTTP/1.1¡¢HTTP/2¡¢TLS¡¢·´Ïò´úÀí¼°Ä£¿é»¯À©´ó£¬¾ß±¸¸ß¿ÉÀ©´óÐÔÓë¿çƽ̨¸öÐÔ£¬ÊÇÈ«ÇòÖ÷Á÷Web»ù´¡ÉèÊ©×é¼þÖ®Ò»¡£
2026Äê6ÔÂ4ÈÕ£¬mansion88Ã÷Éý°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄ£¨VSRC£©¼à²âµ½Apache mod_http2Ô¶³Ì»Ø¾ø·þÎñ·ì϶¡£¸Ã·ì϶ԴÓÚHTTP/2ºÍ̸HPACKͷѹËõ»úÔìÓëÁ÷Á¿½ÚÔì´°¿Ú´¦ÖÃÂß¼´æÔÚ×ÊÔ´ÖÎÀíȱµã£¬¹¥»÷Õß¿Éͨ¹ý»ú¹Ø´óÁ¿Indexed HeaderÒýÓò¢½áºÏÁã´°¿ÚINITIAL_WINDOW_SIZE×èÈûÏìÓ¦¿ªÊÍ£¬³ÖÐøÕ¼Ó÷þÎñÆ÷ÄÚ´æ×ÊÔ´¡£Î´¾Éí·ÝÈÏÖ¤µÄÔ¶³Ì¹¥»÷Õß¿ÉÀûÓø÷ì϶ÒÔ¼«µÍ´ø¿í¿÷Ëð´¥·¢´ó¹æÄ£ÄÚ´æ·ÖÅ䣬µ¼Ö·þÎñ»úÄÜÑϳÁ½µÂ䡢ϵͳ½øÈëSwapÉõÖÁ·þÎñ²»³ÉÓ㬽ø¶øÓ°ÏìÒµÎñÂ½ÐøÐÔÓë¿ÉÓÃÐÔ¡£
¶þ¡¢Ó°ÏìÁìÓò
mod_http2 < 2.0.41
nginx < 1.29.8
Apache HTTP Server 2.4.x£¨Ä¬ÈÏÆôÓà mod_http2 ʱÊÜÓ°Ï죩
Envoy <= 1.37.2
Microsoft IIS£¨ÆôÓÃHTTP/2µÄ Windows Server 2025£©
Cloudflare Pingora <= 0.8.0£¨¹«¿ª×êÑÐÑéÖ¤°æ±¾£©
Èý¡¢°²È«´ëÊ©
3.1 Éý¼¶°æ±¾
²¿ÃÅÊÜÓ°Ïì×é¼þ¹Ù·½ÒѰ䲼½¨¸´²¹¶¡»ò»º½â¸üУ¬½¨ÒéÓû§¾¡¿ìʵÏÖÉý¼¶¡£
mod_http2 >= 2.0.41
nginx >= 1.29.8
Apache HTTP Server Óû§½¨Ò鹨עºóÐø2.4.xÕýʽ°²È«°æ±¾°ä²¼Çé¿ö£¬²¢È·ÈÏÒѼ¯³É mod_http2 v2.0.41 »òÒÔÉϽ¨¸´°æ±¾¡£
3.2 һʱ´ëÊ©
ÈôÁÙʱÎÞ·¨Éý¼¶£¬½¨Òé²ÉÈ¡ÒÔÏ´ëÊ©£º
½ûÓÃHTTP/2ºÍ̸£¬½ö±£ÁôHTTP/1.1
Apache HTTP Server ÅäÖãº
Protocols http/1.1
nginx ÅäÖãº
http2 off
Ï޶ȵ¥ÒªÇóHeader×Ö¶ÎÊýÁ¿¼°Cookie×Ö¶ÎÊýÁ¿
½µµÍ LimitRequestFieldSize µÈ Header ´óÓ×ÏÞ¶È£¨½ö¶Ô Apache ÓÐЧ£©
ÔÚÌìǵ CDN¡¢WAF »ò·´Ïò´úÀí²ãÆôÓà Header ÊýÁ¿ÏÞ¶È¡¢Òì³£ÒªÇó¹ýÂ˼°ÏνÓËãÕÊ»úÔì
ÉèÖà Worker ¹ý³ÌÄÚ´æÉÏÏÞ£¨cgroups¡¢ulimit »òÈÝÆ÷ÏÞ¶È£©£¬Ô¤·ÀÄÚ´æÕ¼Óùý¸ß
¼à¿Ø HTTP/2 Òì³£Ïνӡ¢Á÷¿Ø´°¿Ú¡¢Worker ÄÚ´æÕ¼ÓÃºÍ Swap ʹÓÃÇé¿ö
¶Ô IIS¡¢Envoy¡¢Cloudflare Pingora Óû§£ºÈô¹Ù·½²¹¶¡ÉÐδ°ä²¼£¬½¨Òéһʱ½ûÓà HTTP/2£¬»òÔÚǰÖôúÀí¡¢CDN¡¢WAF ²ãÖ´ÐÐ Header ÊýÁ¿ÏÞ¶È¡¢Ïνӳ¬¼¾½ÚÔì¼°×ÊÔ´Õ¼ÓÃÏÞ¶ÈÕ½Êõ¡£
3.3 ͨÓý¨Òé
¶¨ÆÚ¸üÐÂϵͳ²¹¶¡£¬Ï÷¼õϵͳ·ì϶£¬ÌáÉý·þÎñÆ÷µÄ°²È«ÐÔ¡£
¼ÓǿϵͳºÍÍøÂçµÄ½Ó¼û½ÚÔ죬Åú¸Ä·À»ðǽսÊõ£¬¹Ø¹Ø·Ç±ØÒªµÄÀûÓö˿ڻò·þÎñ£¬Ï÷¼õ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Â¶³öµ½¹«Íø£¬Ï÷¼õ¹¥»÷Ãæ¡£
ʹÓÃÆóÒµ¼¶°²È«²úÆ·£¬ÌáÉýÆóÒµµÄÍøÂ簲ȫ»úÄÜ¡£
¼ÓǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬ÆôÓöà³É·ÖÈÏÖ¤»úÔìºÍ×îÓ×ȨÏÞ×¼Ôò£¬Óû§ºÍÈí¼þȨÏÞӦά³ÖÔÚ×îµÍÏÞ¶È¡£
ÆôÓÃÇ¿ÃÜÂëÕ½Êõ²¢ÉèÖÃΪ¶¨ÆÚÅú¸Ä¡£
3.4 ²Î¿¼Á´½Ó
https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb/
https://github.com/califio/publications/tree/main/MADBugs/http2-bomb


¾©¹«Íø°²±¸11010802024551ºÅ