HTTP/2 Bomb DoS Flaw Crashes Major Web Servers via Memory Exhaustion
Researchers publicly disclosed HTTP/2 Bomb, a remote denial-of-service technique that abuses standard HTTP/2 behavior to rapidly exhaust memory on major web servers and proxies, including nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. The attack combines HPACK header-compression amplification with a Slowloris-style flow-control stall, letting a low-bandwidth client trigger disproportionate server-side allocations and keep that memory pinned by advertising a zero-byte window. Reports said a single machine on a 100 Mbps connection could make vulnerable services inaccessible within seconds, with testing showing Apache httpd and Envoy consuming roughly 32 GB of RAM in about 10 to 20 seconds under default HTTP/2 configurations.
Public disclosures and proof-of-concept code indicated the amplification largely comes from per-header bookkeeping rather than oversized decoded header values, allowing common decoded-size limits to be bypassed. Apache tracked its exposure as CVE-2026-49975 and released a fix in mod_http2 2.0.41, while nginx addressed the issue in 1.29.8; advisories initially said IIS, Envoy, and Pingora lacked patches, though later disclosures showed Envoy assigned CVE-2026-47774 and published an advisory. Researchers estimated more than 880,000 internet-exposed HTTP/2 systems could be affected and recommended upgrading where fixes exist, or otherwise disabling HTTP/2, enforcing strict header-count limits, and monitoring for abnormal memory growth.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Further reporting highlighted HTTP/2 Bomb as a standards-level issue
Subsequent coverage emphasized that HTTP/2 Bomb stems from standard HTTP/2 and HPACK behavior rather than a single implementation flaw, and reiterated that nginx and Apache had fixes while patches for IIS, Envoy, and Pingora were still unavailable. The reporting also highlighted the role of AI-assisted analysis in combining previously known techniques.
Cloudflare disputed Pingora needed a patch; Microsoft said it was investigating
Reporting on the disclosure said Cloudflare disputed that Pingora required a patch, arguing its architecture and DDoS protections already mitigated the attack. The same report said Microsoft was investigating mitigations for IIS.
nginx was notified and fixed HTTP/2 Bomb in version 1.29.8
One source states nginx was notified in April about the HTTP/2 Bomb issue and added a fix in nginx version 1.29.8. Multiple references identify 1.29.8 as the patched version for nginx.
Public reporting detailed HTTP/2 Bomb exploit and exposure scope
News and security outlets reported technical details of HTTP/2 Bomb, including that a single client could pin roughly 32 GB of memory on Apache httpd and Envoy in about 20 seconds and that more than 880,000 internet-exposed systems might be vulnerable. These reports also noted that IIS, Envoy, and Pingora lacked patches at that time.
Envoy published advisory for related memory exhaustion flaw
Envoy published a security advisory describing an HTTP/2 downstream request processing vulnerability that can cause excessive memory consumption and OOM termination. The advisory said the attack could be further amplified by HTTP/2 flow-control stalling, linking it to the broader HTTP/2 Bomb technique.
Calif published companion GitHub repository with verified PoCs
A companion GitHub repository for the HTTP/2 Bomb research was published with self-contained proof-of-concept directories for Envoy, Apache httpd, nginx, Microsoft IIS, and Cloudflare Pingora. The repository said the exploits were verified and functional and documented amplification ratios across targets.
Calif publicly disclosed the HTTP/2 Bomb technique
Researchers publicly disclosed HTTP/2 Bomb, a denial-of-service technique that combines HPACK compression abuse with HTTP/2 flow-control stalling to exhaust memory on major web servers under default configurations. The disclosure named nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora as affected implementations.
Apache was notified and released same-day fix for CVE-2026-49975
A source says Apache was notified on May 27 and released a fix the same day for the HTTP/2 Bomb issue, tracked as CVE-2026-49975 in mod_http2 v2.0.41. Other references corroborate that Apache assigned the CVE and made the fix available.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
14 references tracked. Mallory keeps watching after this page renders.
Apache HTTP Server mod_http2 (HTTP/2 Bomb) vulnerability CVE-2026-49975
my.f5.com
Open sourceCVE-2026-49975: HTTP/2 Bomb DoS Attack
socprime.com
Open sourceDoS-атака HTTP/2 Bomb за считаные секунды выводит из строя веб-серверы - Хакер
xakep.ru
Open sourceOpenAI's Codex chains decade-old DoS techniques into HTTP/2 Bomb
theregister.com
Open sourcepublications/MADBugs/http2-bomb at main · califio/publications · GitHub
github.com
Open sourceoss-sec: HTTP/2 Bomb affects Apache httpd, nginx, envoy, & pingora
seclists.org
Open sourceCodex Discovered a Hidden HTTP/2 Bomb - Calif
blog.calif.io
Open sourceoss-sec: Re: HTTP/2 Bomb affects Apache httpd, nginx, envoy, & pingora
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache HTTP Server mod_http2 Double-Free Exposes Pre-Auth RCE and DoS Risk
Apache HTTP Server disclosed **CVE-2026-23918**, a high-severity double-free flaw in `mod_http2` affecting version `2.4.66`, with researchers showing it can be triggered remotely over a single TCP connection by sending crafted HTTP/2 frames on the same stream. The bug stems from the same `h2_stream` object being queued twice for cleanup, causing a second `apr_pool_destroy` on freed memory; on multi-threaded MPM deployments such as **event** and **worker**, this can reliably crash worker processes without authentication, while **prefork** is not affected. Public reporting said denial-of-service is the most practical near-term outcome, but under specific conditions the memory corruption can be developed into pre-authenticated remote code execution. Apache fixed the issue in **version 2.4.67** by preventing duplicate cleanup entries and urged administrators to upgrade immediately. Guidance published alongside the disclosure recommended temporarily disabling **HTTP/2** where patching is delayed, using rate limiting or a WAF to reduce opportunistic abuse, and reviewing exposure from related modules after the same release also patched flaws in `mod_rewrite`, `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. At the time of publication, sources said there was **no confirmed in-the-wild exploitation**, but warned that Apache HTTP Server's broad deployment and common `mod_http2` enablement make internet-facing systems attractive targets.
Jun 10, 2026
Microsoft fixes HTTP.sys HTTP/2 DoS flaw with new header limit control
Microsoft disclosed **CVE-2026-49160**, an Important denial-of-service flaw in **HTTP.sys** that stems from uncontrolled resource consumption during **HTTP/2** processing. The vulnerability can be triggered remotely by an unauthenticated attacker with no user interaction, allowing service disruption over the network, and Microsoft assigned it a **CVSS 3.1 score of 7.5**. The company said the issue had been **publicly disclosed** but had **not been exploited** at publication, while rating exploitation as more likely. Microsoft said the fix is included in the June 2026 Windows security updates and introduced a new registry setting, **`MaxHeadersCount`**, to limit the number of headers accepted in **HTTP/2** and **HTTP/3** requests handled by the Windows HTTP server. According to Microsoft support guidance, administrators can configure the **`REG_DWORD`** value under HTTP service parameters after installing the update; the default is **200**, with a minimum of **50** and a maximum of **65535**, and a system restart is required for changes to take effect. Microsoft said the control is intended to reduce excessive memory use, high CPU consumption, and denial-of-service conditions, and noted that **`MaxRequestBytes`** may still impose a higher effective header limit in some cases.
Jun 10, 2026
HTTP/2 Parsing Flaws in nghttp2 and Go Enable Remote Denial of Service
Maintainers disclosed two high-severity HTTP/2 denial-of-service flaws that can be triggered by malicious protocol frames in widely used implementations. In **nghttp2**, `CVE-2026-27135` causes an assertion failure after session termination has begun if the library continues processing incoming data and encounters a malformed frame that leads to `FRAME_SIZE_ERROR`. The vulnerable paths include `ALTSVC`, `PRIORITY_UPDATE`, and user-defined extension frames, with the issue fixed in **nghttp2 v1.68.1** by adding missing internal state validation; no workaround was provided. In Go's HTTP/2 transport, `CVE-2026-33814` allows a malicious server to force an infinite loop of `CONTINUATION` frame writes by sending a `SETTINGS` frame with `SETTINGS_MAX_FRAME_SIZE=0`, creating a remote denial-of-service condition against HTTP/2 clients. The flaw, tracked as Go issue `#78476` and later documented by Microsoft with a **CVSS 7.5** rating, was fixed by validating received `SETTINGS_MAX_FRAME_SIZE` values before use, underscoring continued risk from improper state and bounds checking in HTTP/2 frame handling.
May 25, 2026