{"id":262915,"date":"2026-06-03T04:33:00","date_gmt":"2026-06-03T08:33:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/03\/new-http-2-bomb-vulnerability-allows-remote-dos-on-nginx-apache-iis-envoy-cloudflare\/"},"modified":"2026-06-03T08:55:24","modified_gmt":"2026-06-03T12:55:24","slug":"new-http-2-bomb-vulnerability-allows-remote-dos-on-nginx-apache-iis-envoy-cloudflare","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/03\/new-http-2-bomb-vulnerability-allows-remote-dos-on-nginx-apache-iis-envoy-cloudflare\/","title":{"rendered":"New HTTP\/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy &#038; Cloudflare"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html\">New HTTP\/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy &#038; Cloudflare<\/a><\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html\">https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-03 04:33:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Jun 03, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Server Security<\/span><\/p>\n<p>Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.<\/p>\n<p>The vulnerability has been codenamed HTTP\/2 Bomb by Calif.<\/p>\n<p>&#8220;The vulnerable behavior exists in each server&#8217;s default HTTP\/2 configuration,&#8221; the company said, adding it was discovered by OpenAI Codex by chaining together two known techniques: a compression bomb and a Slowloris-style hold.<\/p>\n<p>&#8220;The bomb targets HPACK, HTTP\/2&#8217;s header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request,&#8221; Calif added. &#8220;The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it.&#8221;<\/p>\n<p>HPACK is a dedicated header compression algorithm for HTTP\/2 used for compressing request and response metadata using Huffman encoding that results in an average reduction of 30% in header size. It&#8217;s also designed to be resilient to attacks like CRIME (short for &#8220;Compression Ratio Info-leak Made Easy&#8221;) that can leak authentication cookies from compressed headers.<\/p>\n<p>Slowloris, on the other hand, is a type of denial-of-service (DoS) attack that allows a threat actor to overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections between the attacker and the target. It is an application-layer attack.<\/p>\n<p>HTTP\/2 Bomb is inspired by various known approaches like HPACK Bomb (aka CVE-2016-6581), which was first disclosed in 2016, as well as CVE-2025-53020, a memory exhaustion vulnerability in Apache httpd&#8217;s HTTP\/2 implementation, and two DoS flaws in Apache HTTP Server triggered via crafted CONTINUATION frames (CVE-2016-8740) and worker-thread starvation (CVE-2016-1546) in an HTTP\/2 connection.<\/p>\n<p>&#8220;What&#8217;s new here is where the amplification comes from,&#8221; Calif said. &#8220;The classic bomb stuffs a large value into the table and references&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New HTTP\/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy &#038; Cloudflare https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html&#8230;<\/p>\n","protected":false},"author":1,"featured_media":262916,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhP07q0cgsa0a9VyTU6oPpxqvoZ5Gg2spx-ClmUIzn9LjYzDfuKNxnLXNuXMexiMB8GjKewhk7CnAL5HXgpCL_wq5eaU8VK2mTxxcKJHAZ9eLBskg516sBn4SV5XHWOuZIozDzBD_0MUCAMcVpGyqOEWITNKi2mQFxFLl9gqg_3UxPlwmXCkRfm2JERftyN\/s1600\/http2.gif","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,34,27],"class_list":["post-262915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/262915"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=262915"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/262915\/revisions"}],"predecessor-version":[{"id":262917,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/262915\/revisions\/262917"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/262916"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=262915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=262915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=262915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}