Skip to main content
CybersecurityVulnerability Management

HTTP/2 Bomb Vulnerability Targets Major Web Servers with Remote DoS Exploit

Server room with equipment and cables, highlighting a generic server rack in the foreground.

"The vulnerable behavior exists in each server's default HTTP/2 configuration," the company said.

How HTTP/2 Bomb weaponizes HPACK and flow-control

Researchers at Calif have named the flaw HTTP/2 Bomb. According to Calif, the exploit chains two familiar techniques — a compression bomb and a Slowloris-style hold — and was discovered by OpenAI Codex. The bomb targets HPACK, HTTP/2's header-compression scheme, where "one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request," Calif said.

HPACK uses Huffman encoding and yields an average reduction of about 30% in header size; it was designed to be resilient to attacks such as CRIME. What Calif describes as novel is the source of amplification: instead of stuffing a large decoded header value into the compression table (the classic "HPACK Bomb"), the new variant sends headers that are nearly empty while forcing servers to allocate per-entry bookkeeping for each header. Because the decoded-size limit never fires in that scenario, the usual server protections do not trigger.

That allocation is then pinned by a zero-byte flow-control window — a Slowloris-style hold — which "keeps the server from ever freeing any of it," Calif reported. The result is a remote denial-of-service that multiplies extremely small network activity into very large server memory consumption.

Servers affected: NGINX, Apache HTTPD, Microsoft IIS, Envoy, Cloudflare Pingora

Calif says the vulnerable behavior exists in each server's default HTTP/2 configuration and explicitly names NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora as affected. The company gives a stark account of impact: a home computer on a 100 Mbps connection "has the potential to render a vulnerable server inaccessible within seconds," and "a single client can consume and hold 32GB of server memory against Apache HTTPD and Envoy in about 20 seconds."

Those figures highlight the combination of modest attacker bandwidth and the disproportionate resource cost on the target when HTTP/2's compression bookkeeping is abused and the connection is held open.

Known precedents and related CVEs

Calif frames HTTP/2 Bomb as inspired by several prior techniques and disclosed flaws, including HPACK Bomb (aka CVE-2016-6581) and CVE-2025-53020, described in the source as a memory exhaustion vulnerability in Apache httpd's HTTP/2 implementation. Calif also references two older Apache HTTP Server DoS flaws involving crafted CONTINUATION frames (CVE-2016-8740) and worker-thread starvation in an HTTP/2 connection (CVE-2016-1546). These precedents show a continuing pattern in which header handling and HTTP/2 framing have been avenues for amplification and resource exhaustion.

Mitigations issued today — specific vendor guidance

  • NGINX — Upgrade to 1.29.8 or later; that release "adds the max_headers directive with a default of 1000." If an upgrade is not possible, Calif recommends disabling HTTP/2 with the directive http2 off;.
  • Apache HTTPD — Fixed in mod_http2 v2.0.41. If an upgrade is not possible, the recommended temporary mitigation is to set Protocols http/1.1 to disable HTTP/2.
  • Microsoft IIS, Envoy, and Cloudflare Pingora — Calif reports that no patch is available for these products "as of writing."

Calif also emphasized a specification-level blind spot: "The deeper miss is that the spec frames memory risk purely as an amplification ratio, and ratio is only half the equation," the company said. "A 70:1 amplifier is harmless if the memory is freed when the request completes. It becomes an attack because HTTP/2 lets the client hold the connection open almost for free, pinning every allocated byte for as long as they like."

What this means for technologists, enterprises, and adversaries

  • Technologists and security teams — Patch and verify: apply NGINX 1.29.8+ or mod_http2 v2.0.41 where available, or temporarily disable HTTP/2 as instructed. Monitor connection counts and unusual per-connection memory usage, and prioritize services that use Apache HTTPD and Envoy where single-client memory consumption was demonstrably large.
  • Affected enterprises and procurement leaders — Identify whether external-facing and edge services use Microsoft IIS, Envoy, or Cloudflare Pingora; Calif reports no patches for those products at the time of disclosure, so risk will differ by vendor and by whether HTTP/2 can be disabled without breaking service agreements or user expectations.
  • Adversaries and threat actors — The exploit model in Calif's account rewards low-bandwidth attackers: a modest upstream link can, according to the company, rapidly pin gigabytes of server memory and render services inaccessible if servers remain in default HTTP/2 configurations.

Calif's disclosure places a narrow but urgent choice before operators: apply vendor fixes where they exist, or accept the friction of disabling HTTP/2 temporarily. The unanswered operational question left by the factual record is concrete: when will vendors without patches publish fixes and what interim controls will they recommend for high-traffic deployments?

Original report: https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html