A newly disclosed remote denial-of-service exploit dubbed the “HTTP/2 Bomb” is shaking the web infrastructure world. Researcher Quang Luong, using OpenAI’s Codex, discovered that a single attacker on a home internet connection can exhaust tens of gigabytes of server memory in seconds by chaining two well-known but individually under-exploited HTTP/2 weaknesses together.
The affected servers include nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora — together responsible for serving the vast majority of web traffic globally. A Shodan analysis identified over 880,000 public-facing websites directly supporting HTTP/2 and running one of these servers.
How the Attack Works
The exploit chains two techniques: an HPACK compression bomb and a Slowloris-style connection hold.
HPACK (RFC 7541) is HTTP/2’s stateful header compression scheme. Each peer maintains a dynamic table of recently seen headers. A sender can insert a header once and then reference it with a single byte. The receiver, however, must materialize a full copy of that header on every reference. The attacker seeds the dynamic table with one header, then emits thousands of 1-byte indexed references in a single request — costing the attacker virtually nothing while forcing the server to allocate large amounts of memory per reference.
The second component exploits HTTP/2 per-stream flow control (RFC 9113). The client advertises a zero-byte flow-control window, preventing the server from ever finishing its response. A trickle of 1-byte WINDOW_UPDATE frames continuously resets the send timeout, pinning every memory allocation in place indefinitely — turning a transient amplification into a persistent memory hold.
Amplification Ratios and Real-World Impact
The measured amplification ratios are staggering:
- Envoy 1.37.2: ~5,700:1 amplification — ~32 GB memory exhausted in ~10 seconds
- Apache httpd 2.4.67: ~4,000:1 amplification — ~32 GB in ~18 seconds
- nginx 1.29.7: ~70:1 amplification — ~32 GB in ~45 seconds
- Microsoft IIS (Windows Server 2025): ~68:1 amplification — ~64 GB in ~45 seconds
For servers that cap header-field count rather than decoded size (Apache, Envoy), the exploit uses a Cookie header bypass. RFC 9113 §8.2.3 explicitly permits splitting a Cookie header into one field per cookie; neither Apache nor Envoy was counting those crumbs against field limits. Envoy appends each fragment into a buffer, while Apache httpd rebuilds the entire merged cookie string on every crumb — leaving older copies live until stream cleanup.
CVEs and Patches
The Apache httpd variant was assigned CVE-2026-49975 following responsible disclosure on May 27, 2026, with a same-day fix committed by Stefan Eissing. The nginx fix shipped in version 1.29.8, importing the max_headers directive with a default ceiling of 1,000 headers. At time of writing, no patches are available for Microsoft IIS, Envoy, or Cloudflare Pingora.
Prior related CVEs include CVE-2016-6581 (original HPACK Bomb by Cory Benfield), CVE-2025-53020 (Apache ~4,000:1 amplification), and CVE-2016-8740.
Mitigations
Security teams should act immediately based on their server stack:
- nginx: Upgrade to 1.29.8+; if not possible, set
http2 off;in configuration - Apache httpd: Apply mod_http2 v2.0.41; alternatively set
Protocols http/1.1to disable HTTP/2 - Microsoft IIS / Envoy / Cloudflare Pingora: No patch available — disable HTTP/2 or front with a proxy that enforces a hard per-request header count cap
- All servers: Cap per-worker memory via cgroups,
ulimit -v, or container limits — an OOM-killed worker that respawns is far better than a machine pushed into swap
Broader Implications
The research team concludes this vulnerability class reflects a specification defect in RFC 7541. Section 7.3 frames memory risk solely as an amplification ratio and treats SETTINGS_HEADER_TABLE_SIZE as a sufficient bound — but it does not account for per-entry bookkeeping overhead. Five independent implementations read the same section and shipped the same bug.
PoC scripts, Docker labs, and per-server writeups are available at the Codex GitHub repository. Researcher Quang Luong is scheduled to present the techniques at the Real World AI Security conference at Stanford in June 2026. Organizations should treat this as a high-priority patching item given the ease of exploitation and the potential for complete service disruption from a single attacker with minimal resources.