HTTP/2 Bomb Attacks Put Telcos, Healthcare Orgs at Risk
Dark ReadingArchived Jun 16, 2026✓ Full text saved
The denial-of-service (DoS) exploit takes advantage of two features in HTTP/2 that were designed to save Internet bandwith, not power massive amplification attacks.
Full text archived locally
✦ AI Summary· Claude Sonnet
VULNERABILITIES & THREATS
СLOUD SECURITY
CYBER RISK
THREAT INTELLIGENCE
NEWS
HTTP/2 Bomb Attacks Put Telcos, Healthcare Orgs at Risk
The denial-of-service (DoS) exploit takes advantage of two features in HTTP/2 that were designed to save Internet bandwith, not power massive amplification attacks.
Nate Nelson,Contributing Writer
June 15, 2026
5 Min Read
SOURCE: ZAKOKOR VIA GETTY IMAGES
A vulnerability at the very heart of how the modern Internet operates is disproportionately affecting organizations that have large, distributed footprints on the Web. Patches are available, but some idiosyncrasies in vendor rollouts have caused some confusion.
Earlier this spring, Calif security researcher Quang Luong used OpenAI's Codex to discover an exploit now referred to as the "HTTP/2 Bomb." As seems to be customary of severe, AI-discovered vulnerabilities, HTTP/2 Bomb — or, more formally, CVE-2026-49975 — creatively chains together two old, nondescript features of a core Web technology to help attackers amplify junk traffic by orders of magnitude. By causing denial of service (DoS) attacks without any need for authentication, the issue received a high-severity 7.5 CVSS score.
What stands out most of all about HTTP/2 Bomb is the sheer scale of vulnerable online infrastructure. Calif's initial Shodan scan indicated that more than 880,000 websites support HTTP/2 and run one of the vulnerable types of servers: nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. Those server providers have been releasing fixes, and organizations are advised to patch immediately where possible.
Related:ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed
What's New with HTTP/2 Bomb
Shortly after the CVE-2026-49975 disclosure, Imperva reported that attackers in the wild were "running specialized tools designed to map out" vulnerable servers.
In the two weeks since, Pascal Geenens, director of threat intelligence for Radware, reports that there haven't been any major, observable HTTP/2 Bomb attacks to date, perhaps because threat actors already have so many other ways to perform DoS attacks. Still, he notes that a working proof-of-concept (PoC) is publicly available, "And it's easy to run. On the attacker side, you don't need a lot of resources to pull it off."
On the defender side, most servers now have dedicated patches available. Still, the rollout has been uneven. Nginx and Apache fixed the issue before public disclosure, and Envoy released its fix the day after publication. Microsoft took an extra week, releasing its mitigation on Patch Tuesday last week. Cloudflare has yet to patch the flaw.
Industries Most Affected by HTTP/2 Bomb
HTTP/2 bomb is non-discriminating. "Sometimes you see vulnerable technologies that are more in use in the banking sector, for example; this is not that," says Igal Zeifman, CyCognito's vice president of marketing. He estimates that somewhere between 80% to 90% of his firm's customers are affected. "This is an everyman's vulnerability," he says.
Related:Claude Fable 5 Doesn't Change the Mythos Security Story
That said, CyCognito's data suggests that certain industries are more impacted than others, simply because they run more Internet-connected servers than average. In its scanning, the firm found that about a quarter of vulnerable servers belong to organizations in communications industries — telecoms, media, and content businesses that manage traffic at scale, and where implementing the faster HTTP/2 is imperative. Following communications services are the IT (18%) and healthcare (17%) industries.
"The pattern points to a single underlying driver: the affected component is general-purpose web infrastructure," the researchers wrote. "Apache httpd and nginx sit in front of applications in every industry, often provisioned years ago and rarely revisited once stable."
How HTTP/2 Amplification Works
Amplification attacks are some of the oldest, simplest ways to cause disruptions on the Internet.
In the glory days of DDoS, amplification was how teen hackers took down corporate servers despite the limitations of their parents' dial-up connections. For instance, servers running the 1999 first-person shooter (FPS) video game Quake III Arena would respond to small "getinfo" or "getstatus" requests with a variety of information about players, configurations, etc. Hackers learned that if they sent lots of getstatus requests to a Quake III Arena server, and instructed it to send its responses to a victim's IP address, they could get a whole lot of bang for their buck, inputting a small volume of requests to generate a large volume of junk traffic against their target.
Related:Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure
Josiah White, a teenager who learned DDoS by recreating this technique, went on to create history's most significant botnet, Mirai.
HTTP/2 Bomb operates off the same principle, but instead of taking advantage of a quirk in a particular kind of server, it exploits HTTP/2 itself. Ironically, it exploits two features that were expressly designed to save Internet bandwidth. The first, "HPACK," unburdens clients and servers from having to trade the same header metadata back and forth by saving the data in shorthand, using an index. The second, "flow control," prevents a client from being overloaded by a server's responses.
In oversimplified terms, an attacker can send a continuous stream of tiny requests that force the server to create bigger header structures — akin to the Quake III Arena technique — then block the server's ability to send responses back, and in turn relieve its memory stores to accommodate the endless stream of requests. The result: Even a laptop on home Wi-Fi can take out an nginx server in 45 seconds, or Envoy in 10.
"[For] a DDoS geek like me," says Zeifman, "the implementation itself is very interesting, because HTTP/2 Bomb is not new. The idea of sending a small request in and then having it expand into your memory, and then they tie it in with a Slowloris type of attack — that keeps the connection open so you can send those small requests in — and suddenly you're out of memory. It's two very simple concepts. Why hasn't anybody thought about that before?"
"Do whatever you can to patch as quickly as possible," he warns organizations, "because if you're running anything on the Internet, there is a very high chance that this is in scope for you.
About the Author
Nate Nelson
Contributing Writer
Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.
He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.
He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
VULNERABILITIES & THREATS
Cheap Hardware Module Bypasses AMD, Intel Memory Encryption
by Rob Wright
NOV 25, 2025
VULNERABILITIES & THREATS
Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs
by Jai Vijayan, Contributing Writer
NOV 11, 2025
VULNERABILITIES & THREATS
Microsoft Issues Emergency Patch for Critical Windows Server Bug
by Rob Wright
OCT 24, 2025
VULNERABILITIES & THREATS
350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE
by Nate Nelson, Contributing Writer
JUL 11, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT