CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

HTTP/2 Bomb Attacks Put Telcos, Healthcare Orgs at Risk

Dark Reading Archived Jun 16, 2026 ✓ Full text saved

The denial-of-service (DoS) exploit takes advantage of two features in HTTP/2 that were designed to save Internet bandwith, not power massive amplification attacks.

Full text archived locally
✦ AI Summary · Claude Sonnet


    VULNERABILITIES & THREATS СLOUD SECURITY CYBER RISK THREAT INTELLIGENCE NEWS HTTP/2 Bomb Attacks Put Telcos, Healthcare Orgs at Risk The denial-of-service (DoS) exploit takes advantage of two features in HTTP/2 that were designed to save Internet bandwith, not power massive amplification attacks. Nate Nelson,Contributing Writer June 15, 2026 5 Min Read SOURCE: ZAKOKOR VIA GETTY IMAGES A vulnerability at the very heart of how the modern Internet operates is disproportionately affecting organizations that have large, distributed footprints on the Web. Patches are available, but some idiosyncrasies in vendor rollouts have caused some confusion. Earlier this spring, Calif security researcher Quang Luong used OpenAI's Codex to discover an exploit now referred to as the "HTTP/2 Bomb." As seems to be customary of severe, AI-discovered vulnerabilities, HTTP/2 Bomb — or, more formally, CVE-2026-49975 — creatively chains together two old, nondescript features of a core Web technology to help attackers amplify junk traffic by orders of magnitude. By causing denial of service (DoS) attacks without any need for authentication, the issue received a high-severity 7.5 CVSS score. What stands out most of all about HTTP/2 Bomb is the sheer scale of vulnerable online infrastructure. Calif's initial Shodan scan indicated that more than 880,000 websites support HTTP/2 and run one of the vulnerable types of servers: nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. Those server providers have been releasing fixes, and organizations are advised to patch immediately where possible. Related:ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed What's New with HTTP/2 Bomb Shortly after the CVE-2026-49975 disclosure, Imperva reported that attackers in the wild were "running specialized tools designed to map out" vulnerable servers. In the two weeks since, Pascal Geenens, director of threat intelligence for Radware, reports that there haven't been any major, observable HTTP/2 Bomb attacks to date, perhaps because threat actors already have so many other ways to perform DoS attacks. Still, he notes that a working proof-of-concept (PoC) is publicly available, "And it's easy to run. On the attacker side, you don't need a lot of resources to pull it off." On the defender side, most servers now have dedicated patches available. Still, the rollout has been uneven. Nginx and Apache fixed the issue before public disclosure, and Envoy released its fix the day after publication. Microsoft took an extra week, releasing its mitigation on Patch Tuesday last week. Cloudflare has yet to patch the flaw. Industries Most Affected by HTTP/2 Bomb HTTP/2 bomb is non-discriminating. "Sometimes you see vulnerable technologies that are more in use in the banking sector, for example; this is not that," says Igal Zeifman, CyCognito's vice president of marketing. He estimates that somewhere between 80% to 90% of his firm's customers are affected. "This is an everyman's vulnerability," he says. Related:Claude Fable 5 Doesn't Change the Mythos Security Story That said, CyCognito's data suggests that certain industries are more impacted than others, simply because they run more Internet-connected servers than average. In its scanning, the firm found that about a quarter of vulnerable servers belong to organizations in communications industries — telecoms, media, and content businesses that manage traffic at scale, and where implementing the faster HTTP/2 is imperative. Following communications services are the IT (18%) and healthcare (17%) industries. "The pattern points to a single underlying driver: the affected component is general-purpose web infrastructure," the researchers wrote. "Apache httpd and nginx sit in front of applications in every industry, often provisioned years ago and rarely revisited once stable." How HTTP/2 Amplification Works Amplification attacks are some of the oldest, simplest ways to cause disruptions on the Internet. In the glory days of DDoS, amplification was how teen hackers took down corporate servers despite the limitations of their parents' dial-up connections. For instance, servers running the 1999 first-person shooter (FPS) video game Quake III Arena would respond to small "getinfo" or "getstatus" requests with a variety of information about players, configurations, etc. Hackers learned that if they sent lots of getstatus requests to a Quake III Arena server, and instructed it to send its responses to a victim's IP address, they could get a whole lot of bang for their buck, inputting a small volume of requests to generate a large volume of junk traffic against their target.  Related:Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure Josiah White, a teenager who learned DDoS by recreating this technique, went on to create history's most significant botnet, Mirai. HTTP/2 Bomb operates off the same principle, but instead of taking advantage of a quirk in a particular kind of server, it exploits HTTP/2 itself. Ironically, it exploits two features that were expressly designed to save Internet bandwidth. The first, "HPACK," unburdens clients and servers from having to trade the same header metadata back and forth by saving the data in shorthand, using an index. The second, "flow control," prevents a client from being overloaded by a server's responses. In oversimplified terms, an attacker can send a continuous stream of tiny requests that force the server to create bigger header structures — akin to the Quake III Arena technique — then block the server's ability to send responses back, and in turn relieve its memory stores to accommodate the endless stream of requests. The result: Even a laptop on home Wi-Fi can take out an nginx server in 45 seconds, or Envoy in 10. "[For] a DDoS geek like me," says Zeifman, "the implementation itself is very interesting, because HTTP/2 Bomb is not new. The idea of sending a small request in and then having it expand into your memory, and then they tie it in with a Slowloris type of attack — that keeps the connection open so you can send those small requests in — and suddenly you're out of memory. It's two very simple concepts. Why hasn't anybody thought about that before?" "Do whatever you can to patch as quickly as possible," he warns organizations, "because if you're running anything on the Internet, there is a very high chance that this is in scope for you. About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS Microsoft Issues Emergency Patch for Critical Windows Server Bug by Rob Wright OCT 24, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗