HTTP/2 Bomb Exploit Targets Major Web Servers with Novel DoS Attack
A new 'HTTP/2 Bomb' exploit leverages HPACK compression and connection hold techniques to cause denial-of-service on nginx, Apache httpd, IIS, Envoy, and Cloudflare Pingora.
A sophisticated remote denial-of-service (DoS) exploit, dubbed "HTTP/2 Bomb," has been disclosed, targeting the default HTTP/2 configurations of widely used web servers including nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. This novel attack, discovered by researcher Quang Luong, combines two previously known techniques—an HPACK compression bomb and Slowloris-style connection holds—in a precise manner that allows a single attacker with a basic internet connection to exhaust tens of gigabytes of server memory within seconds.
The core of the exploit lies in the manipulation of HTTP/2's HPACK header compression scheme. HPACK allows clients to reference previously sent headers using short indices, significantly reducing bandwidth. The "HTTP/2 Bomb" exploits this by sending a single header and then following it with thousands of 1-byte indexed references within a single request. This forces the server to reconstruct a full copy of the header for each reference, leading to a substantial memory amplification. While the attacker sends minimal data, the server must allocate significant memory, with amplification ratios ranging from approximately 70:1 for nginx and IIS to as high as 4,000:1 for Apache httpd and Envoy.
Compounding the memory exhaustion, the exploit leverages HTTP/2's per-stream flow control mechanisms. By advertising a zero-byte flow-control window, the attacker prevents the server from completing its response. The continuous trickle of 1-byte WINDOW_UPDATE frames resets the server's send timeout, effectively transforming the transient memory amplification into a persistent hold on allocated memory for the duration of the connection. This allows a single stream to consume vast amounts of server RAM, potentially leading to a complete denial of service.
Initial analysis indicates that over 880,000 public-facing websites utilize HTTP/2 with one of the affected servers, though many are protected by Content Delivery Networks (CDNs). The exploit demonstrates varying memory consumption rates across different servers, with Envoy and Apache httpd showing particularly high amplification ratios due to their specific handling of header fields and stream data. For servers that cap header field counts rather than decoded size, the exploit uses a bypass by splitting a Cookie header into multiple fields, further exacerbating the memory allocation.
Apache httpd has been assigned CVE-2026-49975 for its specific vulnerability, with a fix released on May 27, 2026. Nginx has addressed the issue in version 1.29.8 by introducing a max_headers directive. While fixes are available for Apache and nginx, Microsoft IIS, Envoy, and Cloudflare Pingora reportedly had no patches available at the time of disclosure. Previous related vulnerabilities, such as CVE-2016-6581 (the original HPACK Bomb), highlight the long-standing nature of some underlying primitives.
Mitigation strategies recommended include disabling HTTP/2 entirely, upgrading to patched versions of affected software, or implementing strict per-request header count caps. For servers without immediate patches, disabling HTTP/2 or fronting them with a proxy that enforces header limits are viable workarounds. Additionally, system administrators are advised to cap per-worker memory usage through mechanisms like cgroups or ulimit to ensure that an Out-Of-Memory (OOM) kill of a worker process is a more manageable failure mode than system-wide instability.
The researchers point to a potential specification defect in RFC 7541, which defines HPACK. They argue that the RFC's focus on decoded size amplification and the SETTINGS_HEADER_TABLE_SIZE parameter does not adequately account for the memory overhead associated with allocator metadata, particularly around nearly empty headers. This oversight, they suggest, led to multiple independent implementations exhibiting the same vulnerability.
Proof-of-concept scripts and detailed write-ups are available in the Codex GitHub repository. The researcher, Quang Luong, is scheduled to present these findings at the Real World AI Security conference in June 2026, further shedding light on the implications of this potent DoS attack vector.
This new article provides further technical details on the HTTP/2 Bomb vulnerability, explaining how the exploit leverages HPACK header compression and a Slowloris-style hold to exhaust server memory. It also highlights that while NGINX and Apache HTTPD have released patches, Microsoft IIS, Envoy, and Cloudflare Pingora currently lack available fixes.