New ‘HTTP/2 Bomb’ attack can crash major web servers from a single computer

June 5, 2026 Security researchers have disclosed a new denial-of-service attack called HTTP/2 Bomb that can overwhelm major web servers using a single machine. The technique works against default HTTP/2 configurations on widely used platforms including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.

The attack was discovered by OpenAI’s Codex software agent under the guidance of researchers at offensive security firm Calif. It combines two previously known HTTP/2 denial-of-service techniques: HPACK compression amplification and Slowloris-style resource retention through HTTP/2 flow-control stalling.

According to the researchers, the combination dramatically increases the impact of both methods. “A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds,” the researchers said. They reported that a single client could consume and hold 32GB of server memory in roughly 20 seconds on Apache httpd and Envoy.

The first stage of the attack abuses HPACK, the header compression mechanism used in HTTP/2. Attackers insert a header into the HPACK dynamic table and repeatedly reference it using a compact representation that can be as small as one byte.

This creates a significant amplification effect, where a tiny amount of attacker traffic forces large memory allocations on the server. Researchers measured amplification ratios of approximately 5,700:1 on Envoy and 4,000:1 on Apache httpd.

The second stage prevents that memory from being released. Attackers advertise a zero-byte flow-control window, causing requests to remain incomplete. Servers continue sending small update frames to avoid timing out the connection, while memory usage continues to grow.

Researchers said this approach bypasses many existing protections because the attack relies on internal memory allocations rather than unusually large headers.

During testing, the researchers reported the following results:

  • Envoy 1.37.2 exhausted 32GB of RAM in about 10 seconds.
  • Apache httpd 2.4.67 exhausted 32GB of RAM in about 18 seconds.
  • NGINX 1.29.7 exhausted 32GB of RAM in about 45 seconds.
  • Microsoft IIS on Windows Server 2025 exhausted 64GB of RAM in about 45 seconds.

The full technical details will be presented later this month at the Real World AI Security conference by researcher Quang Luong. However, proof-of-concept exploits have already been published.

Some vendors have already addressed the issue. NGINX fixed the problem in version 1.29.8 by introducing a new “max_headers” directive, while Apache patched the vulnerability in mod_http2 2.0.41 and assigned it CVE-2026-49975.

At the time of publication, no patches were available for IIS, Envoy, or Pingora. Researchers recommend disabling HTTP/2 where practical and placing proxies or firewalls in front of vulnerable systems to enforce strict header-count limits. Deployments already protected by CDNs, reverse proxies, web application firewalls, or custom HTTP/2 restrictions may also be less exposed to the attack.

 

Top Stories

Related Articles

June 26, 2026 Polaroid has launched a new advertising campaign criticizing data centre water consumption as concerns about the environmental more...

June 26, 2026 Opposition to large-scale data centre developments tied to the artificial intelligence boom is beginning to influence U.S. more...

June 26, 2026 Meta's chief technology officer says employee morale has fallen to one of the lowest levels in the more...

June 26, 2026 Memory chip maker Micron says it has signed 16 long-term strategic customer agreements that include price floors more...

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn