‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds
The 'HTTP/2 Bomb' exploit is a denial-of-service (DoS) attack chain targeting the default HTTP/2 configurations of major web servers. It combines a compression bomb attack on HTTP/2's HPACK header compression with a Slowloris-style hold that exhausts server memory by preventing resource cleanup. This exploit affects over 880,000 websites running default configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora. While the underlying vulnerabilities have been known for years, the novel combination amplifies the attack's effectiveness, allowing an attacker with modest bandwidth to knock servers offline within seconds. Patches have been released for NGINX and Apache HTTPD, but Microsoft IIS, Envoy, and Cloudflare Pingora remain unpatched at the time of reporting.
AI Analysis
Technical Summary
The HTTP/2 Bomb exploit chains together multiple known vulnerabilities: CVE-2016-6581 (HPACK Bomb compression attack), CVE-2016-8740 and CVE-2016-1546 (Slow Read vulnerabilities causing memory exhaustion via HTTP/2 flow-control manipulation). The attack leverages a nearly empty header that triggers excessive per-entry bookkeeping memory allocation on servers, bypassing typical decoded header size limits. This results in rapid resource exhaustion and denial of service. The exploit was discovered by combining existing public vulnerabilities using AI-assisted code analysis. NGINX patched the issue in April 2026, Apache HTTPD patched it in late May 2026 (CVE-2026-49975), but other major HTTP/2 supporting servers remain vulnerable. The attack can be launched from a modest 100 Mbps connection and affects default server configurations.
Potential Impact
The exploit causes denial-of-service conditions by rapidly exhausting server memory and resources, rendering affected web servers unavailable within seconds. This impacts a large number of websites using default HTTP/2 configurations on major web servers. The attack requires relatively low bandwidth and can be executed from a home internet connection. No evidence of exploitation in the wild has been reported at the time of disclosure.
Mitigation Recommendations
Patches addressing this exploit have been released for NGINX (April 2026) and Apache HTTPD (May 2026, CVE-2026-49975). Administrators of these servers should apply these official fixes promptly. Microsoft IIS, Envoy, and Cloudflare Pingora remain unpatched; monitor vendor advisories for updates. Until patches are available, consider disabling HTTP/2 or applying configuration changes that limit header-field counts and flow-control window manipulations if feasible. No vendor advisory indicates that no action is required or that the issue is already mitigated. Patch status for some affected servers is pending; check vendor advisories regularly.
‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds
Description
The 'HTTP/2 Bomb' exploit is a denial-of-service (DoS) attack chain targeting the default HTTP/2 configurations of major web servers. It combines a compression bomb attack on HTTP/2's HPACK header compression with a Slowloris-style hold that exhausts server memory by preventing resource cleanup. This exploit affects over 880,000 websites running default configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora. While the underlying vulnerabilities have been known for years, the novel combination amplifies the attack's effectiveness, allowing an attacker with modest bandwidth to knock servers offline within seconds. Patches have been released for NGINX and Apache HTTPD, but Microsoft IIS, Envoy, and Cloudflare Pingora remain unpatched at the time of reporting.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The HTTP/2 Bomb exploit chains together multiple known vulnerabilities: CVE-2016-6581 (HPACK Bomb compression attack), CVE-2016-8740 and CVE-2016-1546 (Slow Read vulnerabilities causing memory exhaustion via HTTP/2 flow-control manipulation). The attack leverages a nearly empty header that triggers excessive per-entry bookkeeping memory allocation on servers, bypassing typical decoded header size limits. This results in rapid resource exhaustion and denial of service. The exploit was discovered by combining existing public vulnerabilities using AI-assisted code analysis. NGINX patched the issue in April 2026, Apache HTTPD patched it in late May 2026 (CVE-2026-49975), but other major HTTP/2 supporting servers remain vulnerable. The attack can be launched from a modest 100 Mbps connection and affects default server configurations.
Potential Impact
The exploit causes denial-of-service conditions by rapidly exhausting server memory and resources, rendering affected web servers unavailable within seconds. This impacts a large number of websites using default HTTP/2 configurations on major web servers. The attack requires relatively low bandwidth and can be executed from a home internet connection. No evidence of exploitation in the wild has been reported at the time of disclosure.
Mitigation Recommendations
Patches addressing this exploit have been released for NGINX (April 2026) and Apache HTTPD (May 2026, CVE-2026-49975). Administrators of these servers should apply these official fixes promptly. Microsoft IIS, Envoy, and Cloudflare Pingora remain unpatched; monitor vendor advisories for updates. Until patches are available, consider disabling HTTP/2 or applying configuration changes that limit header-field counts and flow-control window manipulations if feasible. No vendor advisory indicates that no action is required or that the issue is already mitigated. Patch status for some affected servers is pending; check vendor advisories regularly.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/http-2-bomb-exploit-knocks-web-servers-offline-in-seconds/","fetched":true,"fetchedAt":"2026-06-03T11:03:34.577Z","wordCount":1199}
Threat ID: 6a200a06e29bf47b50a8c560
Added to database: 6/3/2026, 11:03:34 AM
Last enriched: 6/3/2026, 11:03:42 AM
Last updated: 6/3/2026, 2:32:20 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.