top of page
perceptive_background_267k.jpg

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

Published:

3 June 2026 at 08:33:35

Alert date:

3 June 2026 at 10:00:31

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Network Infrastructure, Zero-Day Vulnerabilities

Cybersecurity researchers have discovered a remote denial-of-service exploit called HTTP/2 Bomb that affects major web servers including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The vulnerability exists in each server's default HTTP/2 configuration and was discovered by OpenAI Codex through vulnerability chaining techniques. This represents a significant threat to web infrastructure as it allows remote attackers to perform denial-of-service attacks against commonly used web servers.

Technical details

The HTTP/2 Bomb vulnerability targets HPACK (HTTP/2's header compression scheme) by combining a compression bomb technique with a Slowloris-style hold. The attack exploits the per-entry bookkeeping that servers allocate around nearly empty headers, where one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. The attack uses a zero-byte flow-control window that prevents the server from freeing any allocated memory. Unlike classic HPACK bombs that stuff large values into tables, this variant creates amplification through nearly empty headers that bypass decoded-size limits because there's almost nothing to decode.

Mitigation steps:

NGINX: Upgrade to version 1.29.8+ which adds the max_headers directive with a default of 1000, or disable HTTP/2 with 'http2 off;' if upgrade is not possible
Apache HTTPD: Upgrade to mod_http2 v2.0.41, or set 'Protocols http/1.1' to disable HTTP/2 if upgrade is not possible
Microsoft IIS, Envoy, and Cloudflare Pingora: Monitor for patches as none are currently available

Affected products:

NGINX (fixed in 1.29.8+)
Apache HTTPD (fixed in mod_http2 v2.0.41)
Microsoft IIS (no patch available)
Envoy (no patch available)
Cloudflare Pingora (no patch available)

Related links:

https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
https://thehackernews.com/2023/11/alert-oracleiv-ddos-botnet-targets.html
https://blog.cloudflare.com/hpack-the-silent-killer-feature-of-http-2/
https://en.wikipedia.org/wiki/CRIME
https://nvd.nist.gov/vuln/detail/CVE-2016-6581
https://galbarnahum.com/posts/apache-httpd-cve-2025-53020
https://www.cve.org/CVERecord?id=CVE-2016-8740
https://www.cve.org/CVERecord?id=CVE-2016-1546
https://github.com/icing/mod_h2/releases

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page