New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare
New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare
https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
Publish Date: 2026-06-03 04:33:00
Source Domain: thehackernews.com
Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.
The vulnerability has been codenamed HTTP/2 Bomb by Calif.
“The vulnerable behavior exists in each server’s default HTTP/2 configuration,” the company said, adding it was discovered by OpenAI Codex by chaining together two known techniques: a compression bomb and a Slowloris-style hold.
“The bomb targets HPACK, HTTP/2’s header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request,” Calif added. “The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it.”
HPACK is a dedicated header compression algorithm for HTTP/2 used for compressing request and response metadata using Huffman encoding that results in an average reduction of 30% in header size. It’s also designed to be resilient to attacks like CRIME (short for “Compression Ratio Info-leak Made Easy”) that can leak authentication cookies from compressed headers.
Slowloris, on the other hand, is a type of denial-of-service (DoS) attack that allows a threat actor to overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections between the attacker and the target. It is an application-layer attack.
HTTP/2 Bomb is inspired by various known approaches like HPACK Bomb (aka CVE-2016-6581), which was first disclosed in 2016, as well as CVE-2025-53020, a memory exhaustion vulnerability in Apache httpd’s HTTP/2 implementation, and two DoS flaws in Apache HTTP Server triggered via crafted CONTINUATION frames (CVE-2016-8740) and worker-thread starvation (CVE-2016-1546) in an HTTP/2 connection.
“What’s new here is where the amplification comes from,” Calif said. “The classic bomb stuffs a large value into the table and references…
