Executive Summary

 A recently disclosed denial-of-service vulnerability, CVE-2026-49975 (HTTP/2 Bomb), targets HTTP/2 request processing by exploiting the resource overhead associated with requests containing excessive numbers of HTTP headers. This attack can cause disproportionate CPU and memory consumption and potentially lead to service degradation or denial-of-service conditions in affected environments.

Check Point Engineering has assessed the vulnerability across all Check Point WAF deployment models and validated that existing architectural controls provide effective protection.

Technical Overview

The attack abuses HTTP/2 request processing by sending requests with unusually large numbers of headers, forcing excessive resource allocation on the receiving system.

Environments are most susceptible when:

• HTTP/2 traffic reaches applications directly
• Header count limitations are not enforced
•  Resource consumption scales with header volume

No Impact on Check Point WAF Deployments

1. Check Point WAF SaaS

Check Point WAF SaaS deployments are protected.

 Customers leveraging integrated CDN capabilities benefit from an additional mitigation layer, as HTTP/2 connections are terminated before traffic reaches the protected application environment.

2. Check Point WAF Gateway, Unified Container, and Agent Deployments

For managed Check Point WAF deployments, HTTP/2 traffic is terminated at the WAF layer and is not forwarded directly to protected applications.

As a result, backend applications are not exposed to the vulnerable attack surface described in CVE-2026-49975.

Existing Protection Mechanisms

Check Point WAF already incorporates multiple controls that reduce exposure to HTTP/2 resource exhaustion attacks, including:

• Request size limitations
• Header size enforcement
• Layer 7 DDoS protections
• Resource consumption safeguards

Additional Hardening: Header Count Limiting

 As an additional defense-in-depth measure, Check Point is introducing a configurable Header Count Limiting control.This capability allows administrators to define the maximum number of HTTP headers permitted in a single request, helping to:

• Prevent excessive header proliferation
• Limit resource consumption per request
• Reduce exposure to HTTP/2 Bomb-style attacks
• Improve resilience against malformed requests

 Example Configuration

Processing Flow

Requests exceeding configured thresholds are rejected before reaching the protected application.

Customer Guidance

No immediate customer action is required for Check Point-managed WAF deployments.

Customers should maintain current releases and apply newly released header-count protection controls when they become available.

Conclusion

Check Point WAF SaaS deployments are protected against CVE-2026-49975 through a combination of architectural design, HTTP/2 termination, request validation, and resource protection controls.

To further strengthen resilience, Check Point is introducing configurable header count limiting, providing an additional safeguard against HTTP/2 resource exhaustion attacks and similar attack techniques.