A brand new denial-of-service (DoS) assault dubbed HTTP/2 Bomb will also be introduced from a unmarried gadget to take down internet servers inside of seconds.
The method works on default HTTP/2 configurations of main internet servers, together with NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
Came upon by means of OpenAI’s Codex tool agent underneath the steering of researchers at offensive safety company Calif, HTTP/2 Bomb combines two in the past identified HTTP/2 DoS strategies: the HPACK compression amplification and Slowloris-style useful resource retention by means of HTTP/2 flow-control stalling.
When blended, a unmarried shopper on a 100 Mbps connection can exhaust tens of gigabytes of RAM inside of seconds, forcing the server to allocate it after which fighting its free up.
“A house laptop on a 100Mbps connection can render a susceptible server inaccessible inside of seconds. Towards Apache httpd and Envoy, a unmarried shopper can eat and grasp 32GB of server reminiscence in kind of 20 seconds,” the researchers say.
The HTTP/2 Bomb DoS assault abuses the HPACK mechanism utilized by the HTTP/2 protocol for header compression by means of putting a header into the HPACK dynamic desk and referencing it again and again by means of a compact listed illustration that may be one byte huge.
Because of this, one byte despatched by means of the attacker can lead to 1000’s of bytes of server-side reminiscence allocation, with Envoy and Apache httpd demonstrating the worst ratios at 5,700:1 and four,000:1, respectively.
The second one a part of the assault is composed in fighting the reminiscence from being freed as soon as the request completes. This will also be accomplished by means of promoting a zero-byte flow-control window. As a substitute of sending a reaction, the server periodically sends tiny WINDOW_UPDATE frames to steer clear of timeouts.
On this state of affairs, the requests are by no means totally finished, and the allotted reminiscence helps to keep rising with out being freed.
Calif researchers provide an explanation for that this way bypasses present defenses comparable to limits at the overall decoded header measurement, because the header values used within the assault are tiny, and amplification comes from inside per-header bookkeeping and reminiscence allocations.
When trying out the brand new DoS assault method towards 4 main internet servers, the researchers accomplished the next effects:
- Envoy 1.37.2 exhausted 32 GB RAM in about 10 seconds
- Apache httpd 2.4.67 exhausted 32 GB RAM in ~18 seconds
- nginx 1.29.7 exhausted 32 GB RAM in ~45 seconds
- IIS (Home windows Server 2025) exhausted 64 GB RAM in ~45 seconds
The entire technical main points for the HTTP/2 Bomb DoS assault might be disclosed on the Actual International AI Safety convention later this month in a presentation from researcher Quang Luong.
Alternatively, proof-of-concept (PoC) exploits have already been revealed for the brand new assault manner.
Supply: Calif
Affect and fixes
Calif researchers emphasize that, whilst neither a part of their assault used to be in particular novel, combining the 2 tactics has an important affect.
They observe that even supposing the specs for the HPACK set of rules focal point on reminiscence amplification dangers, they don’t deal with what occurs when an attacker holds allotted reminiscence indefinitely by means of HTTP/2 movement management.
Alternatively, now not all internet servers are at risk of “HTTP/2 Bomb,” as patches have already been launched for some platforms. As well as, sure customized server configurations might supply oblique coverage towards the assault.
For instance, techniques operating in the back of CDNs or opposite proxies don’t disclose the susceptible HTTP/2 endpoint and are harder to focus on. Additionally, some deployments might have already got customized header-count limits, WAFs, opposite proxies, or HTTP/2 disabled.
The issue used to be fastened in nginx model 1.29.8, which added a ‘max_headers’ directive, and on Apache httpd mod_http2 2.0.41, the place the problem used to be assigned the identifier CVE-2026-49975.
On the time of writing, no patch is to be had for IIS, Envoy, or Pingora. On those internet servers, it is suggested to disable HTTP/2 the place possible, and position a proxy/firewall in entrance that enforces exhausting header-count limits.
Computerized pentesting gear ship actual worth, however they have been constructed to reply to one query: can an attacker transfer in the course of the community? They weren’t constructed to check whether or not your controls block threats, your detection regulations hearth, or your cloud configs grasp.
This information covers the 6 surfaces you in truth want to validate.
Obtain Now
