New HTTP/2 Bomb Attack Exposes Critical Vulnerability in Major Web Servers
AI-generated from multiple sources. Verify before acting on this reporting.
SAN FRANCISCO — A newly discovered denial-of-service attack dubbed the HTTP/2 Bomb can crash major web servers within seconds by exploiting a flaw in the HTTP/2 protocol's header compression mechanism. Researchers at offensive security firm Calif and OpenAI's Codex software agent identified the vulnerability, which targets widely used server software including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
The attack combines HPACK compression amplification with Slowloris-style resource retention to exhaust server memory rapidly. HPACK is the compression algorithm used by HTTP/2 to reduce the size of HTTP headers. By sending specially crafted requests, attackers can force servers to allocate excessive memory for decompressing headers while simultaneously preventing the memory from being freed through HTTP/2 flow control mechanisms.
The vulnerability affects HTTP/2 implementations globally, posing a significant risk to websites and online services that rely on the protocol for faster content delivery. Unlike traditional denial-of-service attacks that overwhelm servers with traffic volume, the HTTP/2 Bomb requires minimal bandwidth to cause disruption, making it particularly difficult to mitigate with standard rate-limiting defenses.
Security researchers disclosed the findings on Tuesday, June 3, 2026, after confirming the exploit's effectiveness against multiple server configurations. The attack can be executed with a single connection, allowing attackers to target specific services without triggering conventional intrusion detection systems.
Major technology companies and server vendors are now working to develop patches and mitigation strategies. The HTTP/2 protocol, introduced in 2015, has become the standard for modern web communications, with billions of websites relying on its performance improvements over the older HTTP/1.1 standard.
The HTTP/2 Bomb represents a significant evolution in denial-of-service techniques, exploiting legitimate protocol features rather than implementation bugs. This distinction makes the vulnerability particularly challenging to address, as fixing it may require changes to the protocol specification itself rather than simple software updates.
Network engineers and security professionals are advised to monitor for unusual memory consumption patterns and consider implementing additional safeguards beyond standard HTTP/2 protections. Some experts recommend temporarily disabling HTTP/2 on critical systems until comprehensive fixes are available.
The full technical details of the vulnerability remain under review by the Internet Engineering Task Force, which maintains HTTP protocol standards. Questions remain about the timeline for widespread patch deployment and whether additional variants of the attack could emerge as defenders implement countermeasures.
Security firms are urging organizations to prepare for potential disruptions, particularly during high-traffic periods when denial-of-service attacks are most likely to cause significant impact. The incident highlights the ongoing challenges of securing complex network protocols as web technologies continue to evolve.