CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 03, 2026

HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora

Cybersecurity News Archived Jun 03, 2026 ✓ Full text saved

A newly disclosed remote denial-of-service exploit dubbed “HTTP/2 Bomb” targets the default HTTP/2 configurations of the world’s most widely deployed web servers, nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora, enabling a single attacker on a home internet connection to exhaust tens of gigabytes of server memory in seconds. The exploit was discovered by […] The post HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora appeared first on Cyber

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora By Guru Baran June 3, 2026 A newly disclosed remote denial-of-service exploit dubbed “HTTP/2 Bomb” targets the default HTTP/2 configurations of the world’s most widely deployed web servers, nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora, enabling a single attacker on a home internet connection to exhaust tens of gigabytes of server memory in seconds. The exploit was discovered by researcher Quang Luong using Codex and chaining two techniques that have individually been known to the security community for nearly a decade: an HPACK compression bomb and a Slowloris-style connection hold. What makes this variant novel is not the primitives themselves, but the precise way they are combined and, critically, where the amplification originates. HTTP/2 Bomb Remote DoS Exploit HPACK (RFC 7541) is HTTP/2’s stateful header compression scheme. Each peer maintains a dynamic table of recently seen headers; a sender can insert a header once and subsequently reference it with a single-byte index. The receiver must materialize a full copy of that header on every reference. According to Jun Rong and Duc Phan, the exploit seeds the dynamic table with one header, then emits thousands of 1-byte indexed references in a single request, costing the attacker one wire byte while forcing the server to allocate anywhere from ~70 bytes (nginx, IIS, Pingora) to ~4,000 bytes (Apache httpd, Envoy) per reference. The second component exploits HTTP/2 per-stream flow control (RFC 9113). The client advertises a zero-byte flow-control window, preventing the server from ever finishing its response. A trickle of 1-byte WINDOW_UPDATE frames continuously resets the send timeout, pinning every memory allocation in place for as long as the attacker wishes turning a transient amplification into a persistent memory hold. Attack on Multiple OS Server Amplification Demo Result Envoy 1.37.2 ~5,700:1 ~32 GB in ~10s Apache httpd 2.4.67 ~4,000:1 ~32 GB in ~18s nginx 1.29.7 ~70:1 ~32 GB in ~45s Microsoft IIS (Windows Server 2025) ~68:1 ~64 GB in ~45s A Shodan analysis identified 880,000+ public-facing websites supporting HTTP/2 and running one of these servers, though many are fronted by CDNs that reduce direct exposure, Quang Luong said. For servers that cap header-field count rather than decoded size (Apache, Envoy), the exploit uses a Cookie header bypass. RFC 9113 §8.2.3 explicitly permits splitting a Cookie header into one field per crumb. Neither Apache nor Envoy was counting those crumbs against field limits. Envoy appends each crumb into a buffer; a 4 KB cookie value referenced 32,768 times produces a logical ~3,600:1 ratio, with measured RSS ratios reaching ~5,700:1 on a single stream once allocator overhead accumulates. Apache httpd rebuilds the entire merged cookie string on every crumb, leaving older copies live until stream cleanup, yielding ~4,000:1 even for an empty cookie. The Apache httpd variant was assigned CVE-2026-49975 following responsible disclosure on May 27, 2026, with a same-day fix committed by Stefan Eissing. The nginx fix shipped in version 1.29.8, importing the max_headers directive with a default ceiling of 1,000 headers. Prior related CVEs include CVE-2016-6581 (original HPACK Bomb, coined by Cory Benfield), CVE-2025-53020 (Apache httpd ~4,000:1 amplification, Gal Bar Nahum), CVE-2016-8740, and CVE-2016-1546. Mitigations nginx: Upgrade to 1.29.8+; if not possible, set http2 off; Apache httpd: Apply mod_http2 v2.0.41 from the standalone releases; otherwise set Protocols http/1.1 to disable HTTP/2 Microsoft IIS / Envoy / Cloudflare Pingora: No patch available at time of writing disable HTTP/2 or front with a proxy enforcing a hard per-request header count cap All servers: Cap per-worker memory via cgroups, ulimit -v, or container limits an OOM-killed worker that respawns is a far better failure mode than a machine pushed into swap The research team concludes the vulnerability class reflects a specification defect in RFC 7541. Section 7.3 frames memory risk solely as an amplification ratio and treats SETTINGS_HEADER_TABLE_SIZE as a sufficient bound. It does not account for per-entry bookkeeping overhead; the amplification in this exploit comes entirely from allocator metadata around nearly empty headers, bypassing every decoded-size limit. Five independent implementations read the same section and shipped the same bug. PoC scripts, Docker labs, and per-server writeups are available at the Codex GitHub repository. The researcher Quang Luong will present the techniques at the Real World AI Security conference at Stanford in June 2026. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News CISA Warns of Two-Year-Old Oracle WebLogic Server Vulnerability Exploited in Attacks Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor New Linux CIFSwitch Kernel Vulnerability Allows Attackers to Gain Root Access SideCopy Hackers Deploy Persistent XenoRAT Malware to Target Afghanistan Finance Ministry Tycoon 2FA AiTM Kit Bypasses MFA on Entra ID and Google Workspace Accounts Latest News Cyber Security News WordPress Malware Abuses Steam Community Profiles for C2 Operations Cyber Security News Threat Actor Uses Stolen Gemini API Keys to Automate Telegram Influence Campaign Cyber Security Attackers Abuse AWS, Google Cloud, Cloudflare, and Microsoft Services to Hide Malicious Traffic Cyber Security Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages Cyber Security News Russia Says Foreign Spyware Found on High-Ranking Officials’ Mobile Phones
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 03, 2026
    Archived
    Jun 03, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗