Back

New HTTP/2 Bomb DoS Attack Crashes Major Web Servers

Severity: High (Score: 69.0)

Sources: blog.calif.io, github.com, Gbhackers, Feeds.4Sysops, Cybersecuritynews

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: http, bomb, remote, exploit, nginx, apache, envoy

Severity indicators: ot

Summary

The HTTP/2 Bomb is a newly discovered denial-of-service (DoS) attack that targets default configurations of major web servers, including NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora. This attack, identified by researchers at Calif and OpenAI's Codex, exploits the HPACK header compression mechanism and employs a zero-byte flow-control window to prevent memory from being released. A single attacker can exhaust tens of gigabytes of server memory in seconds, rendering the server inaccessible. Proof-of-concept exploits have been published, and while some platforms have released patches, many remain vulnerable. The full technical details will be presented at the Real World AI Security conference later this month. Key Points: • HTTP/2 Bomb can crash major web servers in under a minute. • The attack combines HPACK compression amplification with connection-holding techniques. • Patches are available for some platforms, but many servers remain vulnerable.

Detailed Analysis

**Impact** Major web servers including nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora are affected globally. A single attacker on a 100 Mbps connection can exhaust tens of gigabytes of RAM within seconds, causing server crashes and denial of service in under a minute. This impacts sectors relying on these widely deployed servers for web infrastructure, potentially disrupting online services and operations. No data breach or data loss has been reported, but service availability is critically compromised. **Technical Details** The attack combines HPACK header compression amplification with Slowloris-style HTTP/2 flow-control stalling by sending tiny headers that cause excessive server memory allocation and then preventing memory release via a zero-byte flow-control window. This results in memory exhaustion on default HTTP/2 configurations. The vulnerability is tracked as CVE-2026-49975 for Apache httpd mod_http2 2.0.41. Proof-of-concept exploits have been published, but no specific IOCs were provided in the sources. **Recommended Response** Apply patches where available, specifically nginx 1.29.8 and Apache httpd mod_http2 2.0.41. For IIS, Envoy, and Cloudflare Pingora, disable HTTP/2 if feasible and deploy proxies or firewalls enforcing strict header-count limits. Monitor for abnormal HTTP/2 header compression patterns and stalled connections. No detection signatures or IOCs have been published yet, so focus on network behavior and resource usage anomalies.

Source articles (6)

  • HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora — Cybersecuritynews · 2026-06-03
    A newly disclosed remote denial-of-service exploit dubbed “HTTP/2 Bomb” targets the default HTTP/2 configurations of the world’s most widely deployed web servers, nginx, Apache httpd, Microsoft IIS, E…
  • HTTP/2 Bomb Remote DoS Exploit Impacts nginx, Apache, IIS, Envoy, and Cloudflare Pingora — Gbhackers · 2026-06-03
    A newly disclosed “HTTP/2 Bomb” attack is raising serious concerns across the web infrastructure ecosystem, enabling remote denial-of-service (DoS) conditions against widely deployed servers including…
  • New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute — Bleepingcomputer · 2026-06-03
    A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds. The technique works on default HTTP/2 configurations of major web…
  • HTTP/2 Bomb exploit chains compression and connection holds to crash web servers — Feeds.4Sysops · 2026-06-03
    A newly discovered vulnerability called HTTP/2 Bomb allows remote attackers to crash major web servers by combining header compression exploits with connection-holding techniques. The attack targets t…
  • Codex Discovered A Hidden Http2 Bomb — blog.calif.io · 2026-06-03
  • Http2 Bomb — github.com · 2026-06-03

Timeline

  • 2026-06-03 — HTTP/2 Bomb attack disclosed: The HTTP/2 Bomb attack was revealed, impacting major web servers like NGINX and Apache, allowing memory exhaustion within seconds.
  • 2026-06-03 — Proof-of-concept exploits published: Researchers released proof-of-concept exploits for the HTTP/2 Bomb attack technique, demonstrating its effectiveness.
  • 2026-06-03 — Technical details to be presented: Full technical details of the HTTP/2 Bomb attack will be disclosed at the Real World AI Security conference later this month.

CVEs

  • CVE-2026-49975

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Cwe-400 - Uncontrolled Resource Consumption (Cwe)
  • T1499 - Endpoint Denial of Service (Mitre Attack)
  • Apache Httpd (Platform)
  • Apache HTTP Server (Platform)
  • Cloudflare Pingora (Platform)
  • Microsoft IIS (Platform)
  • Envoy (Company)
  • Nginx (Tool)
  • Http/2 Bomb (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed