CVE-2026-54428 Overview
CVE-2026-54428 is a denial-of-service vulnerability in the HTTP/2 HPACK decoder within Apache HttpComponents Core. Affected releases include version 5.4.2 and earlier, plus 5.5-beta1 and earlier. The flaw stems from allocation of resources without limits or throttling [CWE-400]. A remote unauthenticated attacker can exhaust server memory by sending oversized compressed HPACK header blocks before the HTTP/2 SETTINGS acknowledgement enforces the configured header list size limit. Successful exploitation renders services unreachable and can destabilize dependent components.
Critical Impact
Unauthenticated remote attackers can trigger memory exhaustion against any service using vulnerable Apache HttpComponents Core HTTP/2 endpoints, producing service outages without valid credentials or user interaction.
Affected Products
- Apache HttpComponents Core 5.4.2 and earlier
- Apache HttpComponents Core 5.5-beta1 and earlier
- Downstream Java applications and servers embedding vulnerable httpcore5-h2 releases
Discovery Timeline
- 2026-07-01 - CVE-2026-54428 published to the National Vulnerability Database
- 2026-07-01 - Vulnerability disclosed via the Apache mailing list and OpenWall OSS-Security
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-54428
Vulnerability Analysis
The vulnerability lives in the HTTP/2 HPACK header decompression path of Apache HttpComponents Core. HPACK (HTTP/2 Header Compression) uses a dynamic table and Huffman-encoded literals to compress headers. The decoder allocates memory to reconstruct decompressed headers as bytes arrive on a connection. Apache HttpComponents Core exposes a configurable header list size limit that caps decompressed header sizes to prevent runaway allocations. The limit is negotiated through the HTTP/2 SETTINGS frame exchange between peers.
The root problem is a timing window: the configured header list size limit only takes effect after the peer acknowledges the local SETTINGS frame. Header blocks received before that acknowledgement bypass the limit and are decoded with unbounded memory allocation. An attacker can open an HTTP/2 connection and immediately send very large compressed header blocks in the pre-SETTINGS-ACK window. Each connection can force allocation of large decompressed structures, and concurrent connections multiply the impact until the JVM heap is exhausted.
Root Cause
The decoder applies input validation and quota enforcement asynchronously with the HTTP/2 protocol handshake. Because the header list size ceiling is only active after SETTINGS acknowledgement, incoming HPACK data is decoded without a size cap during the earliest phase of a connection [CWE-400].
Attack Vector
Exploitation requires only network reachability to a listening HTTP/2 endpoint that uses Apache HttpComponents Core. The attacker establishes a TLS or cleartext HTTP/2 connection, sends the connection preface, and then transmits HEADERS and CONTINUATION frames containing oversized compressed header blocks before completing the SETTINGS acknowledgement. The decoder allocates memory proportional to the encoded content, and repeated or parallel connections drive the process to OutOfMemoryError.
No verified public exploit code was available at time of publication. Technical detail is documented in the Apache Mailing List Thread and the OpenWall OSS-Security Discussion.
Detection Methods for CVE-2026-54428
Indicators of Compromise
- Sudden spikes in JVM heap usage or java.lang.OutOfMemoryError entries in application logs from processes hosting httpcore5-h2
- HTTP/2 connections that transmit unusually large HEADERS or CONTINUATION frames prior to completing SETTINGS acknowledgement
- Repeated short-lived HTTP/2 connections from a small set of source addresses immediately preceding service degradation
Detection Strategies
- Inspect HTTP/2 traffic for HEADERS frames whose compressed payload size exceeds the negotiated or expected header list size
- Correlate application OutOfMemoryError events with concurrent inbound HTTP/2 connection counts and source IP distribution
- Baseline normal HPACK header sizes for your workload and alert on statistical outliers
Monitoring Recommendations
- Enable JVM heap and garbage collection telemetry with alert thresholds tied to sustained high heap pressure
- Forward web server and reverse proxy access logs, including HTTP/2 frame metadata where available, to a centralized analytics platform
- Track connection-level metrics such as concurrent HTTP/2 streams per source and per-connection bytes received before first request completion
How to Mitigate CVE-2026-54428
Immediate Actions Required
- Inventory all Java applications and servers that bundle Apache HttpComponents Core, focusing on httpcore5-h2 releases at or below 5.4.2 and 5.5-beta1
- Upgrade to a fixed Apache HttpComponents Core release once published by the Apache HttpComponents project
- Restrict exposure of HTTP/2 endpoints to trusted networks where operationally feasible until patching completes
Patch Information
Apache HttpComponents Core versions 5.4.2 and earlier, and 5.5-beta1 and earlier, are affected. Refer to the Apache Mailing List Thread for the fixed version announcement and remediation guidance from the Apache HttpComponents project.
Workarounds
- Terminate HTTP/2 at an upstream proxy or load balancer that enforces strict header size limits before traffic reaches vulnerable Java services
- Rate-limit new HTTP/2 connections per source IP to reduce the amplification available to attackers
- Disable HTTP/2 and fall back to HTTP/1.1 on affected endpoints if performance requirements permit
# Example: enforce header limits at an NGINX HTTP/2 front-end
# Configuration example
http {
http2_max_field_size 4k;
http2_max_header_size 16k;
http2_max_concurrent_streams 64;
limit_conn_zone $binary_remote_addr zone=h2conn:10m;
server {
listen 443 ssl http2;
limit_conn h2conn 20;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

