HTTP/2 Bomb CVEs: Impact on Kong Gateway Open Source

[dndx]

Dear Kong Community,

Kong is aware of the recently disclosed HTTP/2 CVEs that affect multiple implementations of HTTP/2, including the issue publicly referred to as the HTTP/2 Bomb. Here is our initial assessment of these CVEs and their impact on the Kong Gateway Open Source project.

Note: if you have an enterprise contract with Kong, please contact your support team to discuss the impact on Kong's enterprise offerings. This advisory applies to the Open Source Kong releases only.

Kong is actively working on a 3.9.3 security release for the Open Source project and will publish it as soon as practicable. The release will be announced in this discussion thread once it becomes available.

This page will be kept up to date as new information and findings regarding these CVEs emerge.

CVE Number	Description	Kong Open Source Impacted	Explanation
CVE-2026-49975	NGINX HTTP/2 HPACK Denial of Service	Yes	Kong Open Source higher than 2.0.0 enables HTTP/2 by default on the proxy_listen config. Kong plans to adopt the NGINX max_headers patch to give users the option to mitigate this DoS vector. As a temporary mitigation, Kong users can consider disabling HTTP/2 protocol support using the proxy_listen config if HTTP/2 is not necessary.