Introduction to HTTP/2 Bomb Exploit
California-based cybersecurity firm Calif has discovered a new exploit that can knock major web servers offline in seconds. Dubbed HTTP/2 Bomb, the exploit combines a compression bomb that targets HTTP/2’s header compression scheme (HPACK) with a Slowloris-style hold that prevents the server from freeing memory.
According to Calif, the attack potentially affects over 880,000 websites that support HTTP/2 and run default NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora configurations. An attack can be launched from a home computer on a 100 Mbps connection and can render any of these servers unavailable within seconds.
Technical Details of the Exploit
The techniques chained by the exploit are not new. In fact, three of the underlying issues were disclosed a decade ago, while another was resolved last year. The first part of the exploit uses HPACK Bomb (tracked as CVE-2016-6581), a compression-layer attack relying on small messages that turn into gigabytes of data once they reach the destination server.
Last year, the attack was demonstrated against Apache HTTPD with a 4000x amplification rate, and was resolved in Apache HTTP Server version 2.4.64 as CVE-2025-53020. The second part of the new exploit targets CVE-2016-8740 and CVE-2016-1546 (Slow Read), two Apache HTTPD flaws leading to DoS conditions via Continuation frames in an HTTP/2 request and via modified flow-control windows.
Abuse of HTTP/2 Slowloris-type Issues
These HTTP/2 Slowloris-type issues are abused for memory exhaustion by advertising a zero-byte flow-control window so that the server does not send a response, and then resetting the send timeout to prevent the server from freeing memory allocations. Calif notes that what’s new here is where the amplification comes from, as the classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size.
Calif’s variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there’s almost nothing to decode. Calif also identified a bypass for servers that cap the header-field count and released proof-of-concept (PoC) code to demonstrate the attack.
Patch Status and Recommendations
NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing. Calif notes that the other thing worth noting is how this exploit was found, as both halves have been public for a decade, and what Codex did was read the codebases, recognize that the two compose, and build the combined attack.
Organizations are advised to patch their systems as soon as possible and to monitor their web servers for any signs of the exploit. The discovery of the HTTP/2 Bomb exploit highlights the importance of keeping software up to date and the need for continuous monitoring and vulnerability assessment.
- NGINX: resolved the bug in April
- Apache: rolled out fixes in late May (CVE-2026-49975)
- Microsoft IIS: not patched at the time of writing
- Envoy: not patched at the time of writing
- Cloudflare Pingora: not patched at the time of writing
Source: SecurityWeek