CVE-2026-49975 is a publicly disclosed denial-of-service vulnerability affecting web servers that run default HTTP/2 configurations, including the nginx-based proxy used in Cequence Defender. A remote attacker can send specially crafted HTTP/2 requests that exhaust server memory, potentially making a Defender node temporarily unresponsive. No authentication is required to attempt the attack, and proof-of-concept code is publicly available. The vulnerability does not enable data access, credential theft, or any form of system compromise. Availability is the only affected surface.

How the attack works

The exploit chains two HTTP/2 protocol behaviors.

• Repeated references to a compressed header entry cause the server to accumulate memory with each reference, far exceeding what the data size would suggest.
• A manipulated flow-control window prevents the server from releasing that memory, pinning allocations for the duration of the connection.

Under sustained attack, this can exhaust available memory and cause service disruption. Normal traffic is not affected when the attack is not in progress.

Affected versions

Remediation and interim mitigations

The recommended action is to upgrade to Defender 6.3 when released. Until the patch is available, the following mitigations reduce exposure.

• Disable HTTP/2 on Defender listener ports when HTTP/2 is not required by protected applications.
• Place an upstream edge control (WAF or load balancer) in front of Defender that enforces HTTP/2 header limits.
• Restrict internet-facing Defender listeners to trusted upstream IP addresses where possible.

Cequence Security — Customer Advisory | Questions: contact your CSM or security@cequence.ai | Reference: CVE-2026-49975