New HTTP/2 Vulnerability Enables Global Denial-of-Service Attacks
AI-generated from multiple sources. Verify before acting on this reporting.
SAN FRANCISCO (AP) — A critical vulnerability in the HTTP/2 protocol has been discovered that allows attackers to execute remote denial-of-service attacks against major web servers worldwide. The flaw, dubbed the "HTTP/2 Bomb," exploits the HPACK header compression scheme and connection handling mechanisms, potentially causing memory exhaustion on affected systems.
The vulnerability impacts a wide range of infrastructure, including NGINX, Apache, IIS, Envoy, and Cloudflare. Researchers identified the issue on June 3, 2026, noting that the attack vector requires minimal resources to trigger significant disruption. By sending specially crafted requests, malicious actors can force servers to allocate excessive memory, leading to service outages.
The HTTP/2 protocol, designed to improve web performance through header compression, contains a mechanism where compressed headers are expanded on the server side. The newly discovered flaw allows attackers to send small, compressed payloads that expand into massive amounts of data upon decompression. This process consumes server memory rapidly, overwhelming the system and rendering it unable to handle legitimate traffic.
Security experts warn that the vulnerability is particularly dangerous because it can be exploited remotely without authentication. Unlike previous HTTP/2 issues that required specific configurations or user interaction, this flaw affects the core protocol implementation used by most modern web servers. The widespread adoption of HTTP/2 across the internet means the potential impact is global.
Major technology companies and server administrators are urged to apply patches immediately. Vendors have released updates to address the vulnerability, though the timeline for full deployment across the internet remains uncertain. Some organizations may face challenges in updating legacy systems or those with complex configurations.
The discovery highlights ongoing challenges in securing internet infrastructure. As web technologies evolve, new attack vectors emerge that exploit fundamental design choices. The HTTP/2 Bomb underscores the need for continuous monitoring and rapid response to emerging threats.
Researchers are still investigating the full scope of the vulnerability and whether additional variants exist. Questions remain about the potential for automated exploitation tools and the likelihood of widespread attacks in the coming days. Security teams are advised to monitor their systems closely and implement additional protections until all servers are updated.
The incident serves as a reminder of the fragility of digital infrastructure and the constant arms race between attackers and defenders. As organizations work to mitigate the threat, the focus remains on minimizing disruption and preventing further exploitation of the flaw.