CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 04, 2026

HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora - CyberSecurityNews

CyberSecurityNews Archived Jun 04, 2026 ✓ Full text saved

HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora CyberSecurityNews

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora By Guru Baran June 3, 2026 A newly disclosed remote denial-of-service exploit dubbed “HTTP/2 Bomb” targets the default HTTP/2 configurations of the world’s most widely deployed web servers, nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora, enabling a single attacker on a home internet connection to exhaust tens of gigabytes of server memory in seconds. The exploit was discovered by researcher Quang Luong using Codex and chaining two techniques that have individually been known to the security community for nearly a decade: an HPACK compression bomb and a Slowloris-style connection hold. What makes this variant novel is not the primitives themselves, but the precise way they are combined and, critically, where the amplification originates. HTTP/2 Bomb Remote DoS Exploit HPACK (RFC 7541) is HTTP/2’s stateful header compression scheme. Each peer maintains a dynamic table of recently seen headers; a sender can insert a header once and subsequently reference it with a single-byte index. The receiver must materialize a full copy of that header on every reference. According to Jun Rong and Duc Phan, the exploit seeds the dynamic table with one header, then emits thousands of 1-byte indexed references in a single request, costing the attacker one wire byte while forcing the server to allocate anywhere from ~70 bytes (nginx, IIS, Pingora) to ~4,000 bytes (Apache httpd, Envoy) per reference. The second component exploits HTTP/2 per-stream flow control (RFC 9113). The client advertises a zero-byte flow-control window, preventing the server from ever finishing its response. A trickle of 1-byte WINDOW_UPDATE frames continuously resets the send timeout, pinning every memory allocation in place for as long as the attacker wishes turning a transient amplification into a persistent memory hold. Attack on Multiple OS Server Amplification Demo Result Envoy 1.37.2 ~5,700:1 ~32 GB in ~10s Apache httpd 2.4.67 ~4,000:1 ~32 GB in ~18s nginx 1.29.7 ~70:1 ~32 GB in ~45s Microsoft IIS (Windows Server 2025) ~68:1 ~64 GB in ~45s A Shodan analysis identified 880,000+ public-facing websites supporting HTTP/2 and running one of these servers, though many are fronted by CDNs that reduce direct exposure, Quang Luong said. For servers that cap header-field count rather than decoded size (Apache, Envoy), the exploit uses a Cookie header bypass. RFC 9113 §8.2.3 explicitly permits splitting a Cookie header into one field per crumb. Neither Apache nor Envoy was counting those crumbs against field limits. Envoy appends each crumb into a buffer; a 4 KB cookie value referenced 32,768 times produces a logical ~3,600:1 ratio, with measured RSS ratios reaching ~5,700:1 on a single stream once allocator overhead accumulates. Apache httpd rebuilds the entire merged cookie string on every crumb, leaving older copies live until stream cleanup, yielding ~4,000:1 even for an empty cookie. The Apache httpd variant was assigned CVE-2026-49975 following responsible disclosure on May 27, 2026, with a same-day fix committed by Stefan Eissing. The nginx fix shipped in version 1.29.8, importing the max_headers directive with a default ceiling of 1,000 headers. Prior related CVEs include CVE-2016-6581 (original HPACK Bomb, coined by Cory Benfield), CVE-2025-53020 (Apache httpd ~4,000:1 amplification, Gal Bar Nahum), CVE-2016-8740, and CVE-2016-1546. Mitigations nginx: Upgrade to 1.29.8+; if not possible, set http2 off; Apache httpd: Apply mod_http2 v2.0.41 from the standalone releases; otherwise set Protocols http/1.1 to disable HTTP/2 Microsoft IIS / Envoy / Cloudflare Pingora: No patch available at time of writing disable HTTP/2 or front with a proxy enforcing a hard per-request header count cap All servers: Cap per-worker memory via cgroups, ulimit -v, or container limits an OOM-killed worker that respawns is a far better failure mode than a machine pushed into swap The research team concludes the vulnerability class reflects a specification defect in RFC 7541. Section 7.3 frames memory risk solely as an amplification ratio and treats SETTINGS_HEADER_TABLE_SIZE as a sufficient bound. It does not account for per-entry bookkeeping overhead; the amplification in this exploit comes entirely from allocator metadata around nearly empty headers, bypassing every decoded-size limit. Five independent implementations read the same section and shipped the same bug. PoC scripts, Docker labs, and per-server writeups are available at the Codex GitHub repository. The researcher Quang Luong will present the techniques at the Real World AI Security conference at Stanford in June 2026. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Claude Opus 4.8 Released With Ability to Work as an Experienced Engineer Android 0-Day Vulnerability Exploited in Attacks to Gain Complete Device Control Hackers Use LLM Agent to Move From Marimo RCE to Internal Database in Four Pivots Carnival Cruise Data Breach Exposes Millions of Customers’ Personal Information Anthropic Expands Project Glasswing Claude Mythos Preview to 150 New Organizations Latest News Cyber Security News Microsoft Unveils Always-On AI Agent Scout to Integrate With Teams, Outlook, and More Cyber Security New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS Uncategorized HazyBeacon Camapign Weaponizes Amazon Web Services for Stealthy Communications Cyber Security News The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks ANY.RUN Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises
    💬 Team Notes
    Article Info
    Source
    CyberSecurityNews
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 04, 2026
    Archived
    Jun 04, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗