HTTP/2 Bomb DoS Flaw Hits Apache, nginx, IIS, Envoy, and Pingora
Researchers publicly disclosed HTTP/2 Bomb, a remote denial-of-service technique that affects major web servers including Apache httpd, nginx, Microsoft IIS, Envoy, and Cloudflare Pingora under default HTTP/2 configurations. The attack combines HPACK header-compression amplification with an HTTP/2 flow-control stall, letting a low-bandwidth client trigger large memory allocations on the server and keep that memory pinned long enough to degrade or deny service. The disclosure says a single client on a 100 Mbps connection can make vulnerable servers inaccessible within seconds, with Apache httpd and Envoy observed consuming roughly 32 GB of memory in about 20 seconds.
Apache assigned the issue CVE-2026-49975, and the disclosure says nginx and Apache were privately notified before publication. Reported mitigations include upgrading nginx to 1.29.8 or later, using mod_http2 v2.0.41 for Apache, or disabling HTTP/2 where patches are not available. The researchers said limiting decoded header size alone is not enough; affected servers also need hard caps on header count and protections against long-lived stalled streams that retain memory. At the time of disclosure, fixes were reported for nginx and Apache, while IIS, Envoy, and Pingora reportedly had no patch available.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Cloudflare and Microsoft issue responses on HTTP/2 Bomb impact
Cloudflare said Pingora does not require a patch because its architecture and DDoS protections already mitigate the HTTP/2 Bomb technique. Microsoft said it was investigating mitigations for IIS, while researchers advised unpatched IIS and Pingora users to disable HTTP/2 if possible or limit HTTP headers per request.
HTTP/2 Bomb exploit PoC and impact details published
A follow-up report publicly shared exploit proof-of-concept details for HTTP/2 Bomb, describing how HPACK amplification and a zero-byte flow-control window can pin large memory allocations. The report said a single client could hold about 32 GB of memory on Apache httpd and Envoy in roughly 20 seconds and estimated more than 880,000 internet-exposed systems may be vulnerable.
Apache assigned CVE-2026-49975 and published mitigations
The oss-sec disclosure says Apache assigned CVE-2026-49975 to the issue and identified mitigations including using mod_http2 v2.0.41 for Apache. It also noted nginx users should upgrade to 1.29.8 or later, or disable HTTP/2 where patches are unavailable.
HTTP/2 Bomb vulnerability publicly disclosed on oss-sec
A public disclosure described "HTTP/2 Bomb," a remote denial-of-service technique affecting default HTTP/2 configurations in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. The writeup said the attack combines HPACK amplification with HTTP/2 flow-control stalling to trigger severe memory exhaustion.
Researchers privately notified nginx and Apache of HTTP/2 Bomb
The disclosure states that nginx and Apache were privately notified about the HTTP/2 Bomb denial-of-service issue before the public release. No specific notification date is provided in the references.
Envoy and H2O publish HTTP/2 Bomb fixes and mitigations
An oss-sec follow-up reported that Envoy assigned CVE-2026-47774 to a high-severity HTTP/2 denial-of-service issue tied to cookie header accounting and HPACK amplification, and said additional patches had been released by Envoy. The same discussion said H2O released mitigations for related HTTP/2 state amplification and stalled-stream retention issues, though no CVE was cited for H2O.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
CVE-2026-49975: HTTP/2 Bomb DoS Attack
socprime.com
Open sourceDoS-атака HTTP/2 Bomb за считаные секунды выводит из строя веб-серверы - Хакер
xakep.ru
Open sourceOpenAI's Codex chains decade-old DoS techniques into HTTP/2 Bomb
theregister.com
Open sourceNew HTTP/2 Bomb attack can take down web servers in seconds | brief | SC Media
scworld.com
Open sourceoss-sec: Re: HTTP/2 Bomb affects Apache httpd, nginx, envoy, & pingora
seclists.org
Open sourceApache httpd Memory Exhaustion CVE-2025-53020 | Gal Bar Nahum's Blog
galbarnahum.com
Open source���������� � ����������� HTTP/2, ���������� � ���������� ��������� ������
opennet.me
Open sourceHPACK Bombing Apache | icing's blog
eissing.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache httpd mod_http2 Double-Free Flaw Exposes Pre-Auth RCE Risk
Apache HTTP Server fixed a high-severity vulnerability in `mod_http2` with the release of version `2.4.67`, addressing `CVE-2026-23918`, a double-free bug in Apache httpd `2.4.66` that can be triggered remotely before authentication. Researchers reported that a single TCP connection sending two crafted HTTP/2 frames on the same stream can cause the server to free the same `h2_stream` object twice, reliably crashing worker processes on deployments using multi-threaded MPMs such as `event` or `worker`; `prefork` is not affected. Apache classified the issue as Important, while CISA-ADP scored it `8.8`. The underlying flaw stems from an early `RST_STREAM` condition that inserts the same stream pointer twice into an internal cleanup array, leading to a second `apr_pool_destroy` call on freed memory. Striga said the bug can be developed into remote code execution on builds using the APR `mmap` allocator when combined with an information leak exposing `system()` and scoreboard addresses, with `mod_status` providing a stable target via the scoreboard request field. Apache’s `2.4.67` release also patched four other flaws affecting `mod_rewrite`, `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`, and administrators were urged to upgrade immediately or disable HTTP/2 if patching is not yet possible.
May 25, 2026
Apache HTTP Server fixes HTTP/2 double-free flaw with possible RCE
The Apache Software Foundation released **Apache HTTP Server 2.4.67** to fix five vulnerabilities, led by **`CVE-2026-23918`**, an important- to high-severity flaw in the HTTP/2 implementation. Apache said the bug is a **double free** triggered by an early reset that could lead to **remote code execution**, and that it affects **version 2.4.66**. The issue was reported in December 2025 and fixed shortly afterward, with public disclosure following on the `oss-sec` mailing list; Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl were credited with finding it. The 2.4.67 release also patches **`CVE-2026-24072`** in `mod_rewrite`, which can allow local `.htaccess` authors to read arbitrary files as the `httpd` user, along with lower-severity issues in `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. Apache and downstream reporting urged organizations running **2.4.66 or earlier** to upgrade immediately, while temporary mitigations for environments that cannot patch at once include disabling **HTTP/2**, removing `mod_dav_lock`, and reviewing `.htaccess` permissions.
May 8, 2026
HTTP/2 Parsing Flaws in nghttp2 and Go Enable Remote Denial of Service
Maintainers disclosed two high-severity HTTP/2 denial-of-service flaws that can be triggered by malicious protocol frames in widely used implementations. In **nghttp2**, `CVE-2026-27135` causes an assertion failure after session termination has begun if the library continues processing incoming data and encounters a malformed frame that leads to `FRAME_SIZE_ERROR`. The vulnerable paths include `ALTSVC`, `PRIORITY_UPDATE`, and user-defined extension frames, with the issue fixed in **nghttp2 v1.68.1** by adding missing internal state validation; no workaround was provided. In Go's HTTP/2 transport, `CVE-2026-33814` allows a malicious server to force an infinite loop of `CONTINUATION` frame writes by sending a `SETTINGS` frame with `SETTINGS_MAX_FRAME_SIZE=0`, creating a remote denial-of-service condition against HTTP/2 clients. The flaw, tracked as Go issue `#78476` and later documented by Microsoft with a **CVSS 7.5** rating, was fixed by validating received `SETTINGS_MAX_FRAME_SIZE` values before use, underscoring continued risk from improper state and bounds checking in HTTP/2 frame handling.
May 25, 2026