HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy,
A newly disclosed remote denial-of-service exploit, dubbed “HTTP/2 Bomb,” targets the default HTTP/2 configurations of the world’s most widely deployed web servers. This...
A newly disclosed remote denial-of-service exploit, dubbed “HTTP/2 Bomb,” targets the default HTTP/2 configurations of the world’s most widely deployed web servers. This vulnerability impacts nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single attacker, even with a standard home internet connection, can rapidly exhaust tens of gigabytes of
The exploit was discovered by researcher Quang Luong using Codex and chaining two techniques that have individually been known to the security community for nearly a decade: an HPACK compression bomb and a Slowloris-style connection hold.
What makes this variant novel is not the primitives themselves, but the precise way they are combined and, critically, where the amplification originates.
HTTP/2 Bomb Remote DoS Exploit
HPACK (RFC 7541) is HTTP/2’s stateful header compression scheme. Each peer maintains a dynamic table of recently seen headers; a sender can insert a header once and subsequently reference it with a single-byte index.
The receiver must materialize a full copy of that header on every reference. According to Jun Rong and Duc Phan, the exploit seeds the dynamic table with one header, then emits thousands of 1-byte indexed references in a single request, costing the attacker one wire byte while forcing the server to allocate anywhere from ~70 bytes (nginx, IIS, Pingora) to ~4,000 bytes (Apache httpd, Envoy) per reference.
The second component exploits HTTP/2 per-stream flow control (RFC 9113). The client advertises a zero-byte flow-control window, preventing the server from ever finishing its response.
A trickle of 1-byte WINDOW_UPDATE frames continuously resets the send timeout, pinning every memory allocation in place for as long as the attacker wishes turning a transient amplification into a persistent memory hold.
| Server | Amplification | Demo Result |
|---|---|---|
| Envoy 1.37.2 | ~5,700:1 | ~32 GB in ~10s |
| Apache httpd 2.4.67 | ~4,000:1 | ~32 GB in ~18s |
| nginx 1.29.7 | ~70:1 | ~32 GB in ~45s |
| Microsoft IIS (Windows Server 2025) | ~68:1 | ~64 GB in ~45s |
A Shodan analysis identified 880,000+ public-facing websites supporting HTTP/2 and running one of these servers, though many are fronted by CDNs that reduce direct exposure, Quang Luong said.
For servers that cap header-field count rather than decoded size (Apache, Envoy), the exploit uses a Cookie header bypass. RFC 9113 §8.2.3 explicitly permits splitting a Cookie header into one field per crumb. Neither Apache nor Envoy was counting those crumbs against field limits.
Envoy appends each crumb into a buffer; a 4 KB cookie value referenced 32,768 times produces a logical ~3,600:1 ratio, with measured RSS ratios reaching ~5,700:1 on a single stream once allocator overhead accumulates. Apache httpd rebuilds the entire merged cookie string on every crumb, leaving older copies live until stream cleanup, yielding ~4,000:1 even for an empty cookie.
The Apache httpd variant was assigned CVE-2026-49975 following responsible disclosure on May 27, 2026, with a same-day fix committed by Stefan Eissing. The nginx fix shipped in version 1.29.8, importing the max_headers directive with a default ceiling of 1,000 headers.
Prior related CVEs include CVE-2016-6581 (original HPACK Bomb, coined by Cory Benfield), CVE-2025-53020 (Apache httpd ~4,000:1 amplification, Gal Bar Nahum), CVE-2016-8740, and CVE-2016-1546.
Mitigations
- nginx: Upgrade to 1.29.8+; if not possible, set
http2 off; - Apache httpd: Apply mod_http2 v2.0.41 from the standalone releases; otherwise set
Protocols http/1.1to disable HTTP/2 - Microsoft IIS / Envoy / Cloudflare Pingora: No patch available at time of writing disable HTTP/2 or front with a proxy enforcing a hard per-request header count cap
- All servers: Cap per-worker memory via cgroups,
ulimit -v, or container limits an OOM-killed worker that respawns is a far better failure mode than a machine pushed into swap
The research team concludes the vulnerability class reflects a specification defect in RFC 7541. Section 7.3 frames memory risk solely as an amplification ratio and treats SETTINGS_HEADER_TABLE_SIZE as a sufficient bound.
It does not account for per-entry bookkeeping overhead; the amplification in this exploit comes entirely from allocator metadata around nearly empty headers, bypassing every decoded-size limit. Five independent implementations read the same section and shipped the same bug.
PoC scripts, Docker labs, and per-server writeups are available at the Codex GitHub repository. The researcher Quang Luong will present the techniques at the Real World AI Security conference at Stanford in June 2026.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.