HTTP/2 Bomb Exploit Crashes Servers in Seconds — 880K Sites Vulnerable

Security researchers publicly disclosed a denial-of-service technique on June 3 that can crash major web servers within seconds using nothing more than a home internet connection. The attack, dubbed "HTTP/2 Bomb," chains two known techniques in a novel way that bypasses existing protections.

Tracked as CVE-2026-49975, the vulnerability affects nginx, Apache HTTPD, Microsoft IIS, Envoy proxy, and Cloudflare Pingora. A Shodan scan confirmed over 880,000 public-facing servers are exposed with default HTTP/2 configurations.

The Attack Mechanism

The HTTP/2 Bomb combines two long-standing infrastructure manipulation techniques that individually have mitigations, but together bypass those controls.

Stage 1: HPACK Compression Abuse

HTTP/2 uses HPACK compression to reduce header overhead. The attack exploits how servers maintain compression tables: an attacker first seeds the server's HPACK table with a single large header entry. Subsequent requests then send thousands of single-byte references back to that table entry.

As Calif's technical disclosure explains, "one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request." The amplification happens through per-entry bookkeeping rather than large decoded values—a twist that bypasses existing size-limit protections.

Stage 2: Slowloris-Style Hold

The attacker then advertises a zero-byte flow-control window, preventing the server from sending responses and releasing allocated memory. By resetting send timeouts, the connections stay alive long enough to exhaust available RAM.

The combination is devastating. According to SecurityWeek's testing, a single attacker on a 100 Mbps residential connection can consume 32GB of memory on a vulnerable Envoy deployment in approximately 10 seconds. Apache HTTPD showed similar results within 20 seconds.

Patch Status Varies by Vendor

Server	Status	Fix
nginx	Patched	Upgrade to v1.29.8+ (includes max_headers directive)
Apache HTTPD	Patched	Update mod_http2 to v2.0.41
Microsoft IIS	Unpatched	No fix available
Envoy	Unpatched	No fix available
Cloudflare Pingora	Unpatched	No fix available

nginx addressed this in April 2026; Apache followed in late May. But Microsoft IIS, Envoy, and Cloudflare Pingora remain vulnerable with no patches announced at publication time.

This creates an uncomfortable situation for organizations running unpatched servers—they're exposed with no timeline for a fix. It echoes the Citrix NetScaler situation we covered recently, where organizations waited weeks for patches while exploitation ramped up.

Immediate Mitigations

For servers without available patches, security teams should consider:

1. Disable HTTP/2 - Fall back to HTTP/1.1 if the performance tradeoff is acceptable
2. Enforce hard limits on header counts - Reduce the maximum number of headers per request
3. Apply memory limits to worker processes - Prevents a single attack from exhausting system resources
4. Monitor connection patterns - Alert on clients holding many connections with zero flow-control windows

The researchers note that simply rate-limiting connections isn't sufficient because the attack requires relatively few connections to be effective.

Why This Discovery Matters

The HTTP/2 Bomb demonstrates how protocol-level vulnerabilities can lurk in widely deployed infrastructure for years. HTTP/2's HPACK compression has been studied extensively, and Slowloris attacks have been known since 2009. But the combination of these techniques in this specific way wasn't caught until now.

With 4000x amplification rates demonstrated against Apache HTTPD, the attack economics strongly favor attackers. A single residential connection can take down servers that cost thousands to operate.

For organizations running internet-facing web infrastructure, this is a reminder to audit your HTTP/2 configurations. The performance benefits of HTTP/2 don't matter much if your server can be knocked offline by a teenager with a Python script and a basic internet connection.

Related Advisories

The disclosure references several related CVEs that document the individual components:

• CVE-2016-6581 (HPACK Bomb - compression layer attack)
• CVE-2016-8740 (Apache HTTPD Slow Read flaw)
• CVE-2016-1546 (Apache HTTPD DoS via Continuation frames)
• CVE-2025-53020 (Apache HTTPD compression bomb, resolved in v2.4.64)

Security teams tracking web server vulnerabilities should monitor for vendor advisories on the unpatched platforms.