‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds
Security WeekArchived Jun 03, 2026✓ Full text saved
The default HTTP/2 configuration of major web servers is vulnerable to an attack chain combining a compression bomb and a Slowloris-style hold. The post ‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
Known denial-of-service (DoS) techniques can be chained together in a new exploit that can knock major web servers offline, Calif security researchers warn.
Dubbed HTTP/2 Bomb and discovered using OpenAI’s Codex, the exploit combines a compression bomb that targets HTTP/2’s header compression scheme (HPACK) with a Slowloris-style hold that prevents the server from freeing memory.
According to California-based cybersecurity firm Calif, the attack potentially affects over 880,000 websites that support HTTP/2 and run default NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora configurations.
Furthermore, the company says, an attack can be launched from a home computer on a 100 Mbps connection and can render any of these servers unavailable within seconds.
The techniques chained by the exploit are not new. In fact, three of the underlying issues were disclosed a decade ago, while another was resolved last year.
The first part of the exploit uses HPACK Bomb (tracked as CVE-2016-6581), a compression-layer attack relying on small messages that turn into gigabytes of data once they reach the destination server.
Last year, the attack was demonstrated against Apache HTTPD with a 4000x amplification rate, and was resolved in Apache HTTP Server version 2.4.64 as CVE-2025-53020.
The second part of the new exploit targets CVE-2016-8740 and CVE-2016-1546 (Slow Read), two Apache HTTPD flaws leading to DoS conditions via Continuation frames in an HTTP/2 request and via modified flow-control windows.
These HTTP/2 Slowloris-type issues are abused for memory exhaustion by advertising a zero-byte flow-control window so that the server does not send a response, and then resetting the send timeout to prevent the server from freeing memory allocations.
“What’s new here is where the amplification comes from. The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size,” Calif notes.
“Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there’s almost nothing to decode,” the company explains.
Calif also identified a bypass for servers that cap the header-field count, and released proof-of-concept (PoC) code to demonstrate the attack.
The company says NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing.
“The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes.
Related: Exploit Code Published for Critical Flowise RCE Vulnerability
Related: PoC Released for DirtyDecrypt Linux Kernel Vulnerability
Related: PoC Code Published for Critical NGINX Vulnerability
Related: BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
Critical Vulnerability in HP VoIP Phones Enables Enterprise Network Breaches
Meta AI Hands Over High-Profile Instagram Accounts to Hackers
Supply Chain Attack Hits 32 Red Hat NPM Packages
Oracle’s First Monthly Patches Resolve 77 Vulnerabilities
WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites
Dutch Police Dismantle Massive 17-Million-Device Botnet
Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs
19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access
Latest News
IMA Diligence Services Data Breach Impacts 525,000 People
Organizations Warned of Exploited Linux Kernel Vulnerability
Microsoft Tries to Calm Legal Threat Fears After Zero-Day Disclosure Backlash
Trump Signs Executive Order That Invites Vetting of Top AI Models for National Security Risks
Two New Reports Offer Competing Explanations for Cybersecurity’s Growing Crisis
Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk
Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Anthropic Expanding Mythos Access to 150 New Organizations
Trending
Webinar: Third-Party Risk In Practice
June 4, 2026
Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.
Register
Virtual Roundtable: CISO Forum 2026 Mid-Year Review
June 10, 2026
Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks.
Register
People on the Move
Rapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board.
Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter.
CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.
More People On The Move
Expert Insights
The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor)
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Caught Off Guard: Securing AI After It Hits Production
As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb)
Cyber Resilience Is The New Business Continuity Plan
The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin)
Enhancing Data Center Security Without Sacrificing Performance
For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael)
Flipboard
Reddit
Whatsapp
Email