HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora

A newly disclosed remote denial-of-service exploit dubbed “HTTP/2 Bomb” targets the default HTTP/2 configurations of the world’s most widely deployed web servers, nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora, enabling a single attacker on a home internet connection to exhaust tens of gigabytes of server memory in seconds.

The exploit was discovered by researcher Quang Luong using Codex and chaining two techniques that have individually been known to the security community for nearly a decade: an HPACK compression bomb and a Slowloris-style connection hold.

What makes this variant novel is not the primitives themselves, but the precise way they are combined and, critically, where the amplification originates.

HTTP/2 Bomb Remote DoS Exploit

HPACK (RFC 7541) is HTTP/2’s stateful header compression scheme. Each peer maintains a dynamic table of recently seen headers; a sender can insert a header once and subsequently reference it with a single-byte index.

The receiver must materialize a full copy of that header on every reference. According to Jun Rong and Duc Phan, the exploit seeds the dynamic table with one header, then emits thousands of 1-byte indexed references in a single request, costing the attacker one wire byte while forcing the server to allocate anywhere from ~70 bytes (nginx, IIS, Pingora) to ~4,000 bytes (Apache httpd, Envoy) per reference.

The second component exploits HTTP/2 per-stream flow control (RFC 9113). The client advertises a zero-byte flow-control window, preventing the server from ever finishing its response.

A trickle of 1-byte WINDOW_UPDATE frames continuously resets the send timeout, pinning every memory allocation in place for as long as the attacker wishes turning a transient amplification into a persistent memory hold.

Server	Amplification	Demo Result
Envoy 1.37.2	~5,700:1	~32 GB in ~10s
Apache httpd 2.4.67	~4,000:1	~32 GB in ~18s
nginx 1.29.7	~70:1	~32 GB in ~45s
Microsoft IIS (Windows Server 2025)	~68:1	~64 GB in ~45s

A Shodan analysis identified 880,000+ public-facing websites supporting HTTP/2 and running one of these servers, though many are fronted by CDNs that reduce direct exposure, Quang Luong said.

For servers that cap header-field count rather than decoded size (Apache, Envoy), the exploit uses a Cookie header bypass. RFC 9113 §8.2.3 explicitly permits splitting a Cookie header into one field per crumb. Neither Apache nor Envoy was counting those crumbs against field limits.

Envoy appends each crumb into a buffer; a 4 KB cookie value referenced 32,768 times produces a logical ~3,600:1 ratio, with measured RSS ratios reaching ~5,700:1 on a single stream once allocator overhead accumulates. Apache httpd rebuilds the entire merged cookie string on every crumb, leaving older copies live until stream cleanup, yielding ~4,000:1 even for an empty cookie.

The Apache httpd variant was assigned CVE-2026-49975 following responsible disclosure on May 27, 2026, with a same-day fix committed by Stefan Eissing. The nginx fix shipped in version 1.29.8, importing the max_headers directive with a default ceiling of 1,000 headers.

Prior related CVEs include CVE-2016-6581 (original HPACK Bomb, coined by Cory Benfield), CVE-2025-53020 (Apache httpd ~4,000:1 amplification, Gal Bar Nahum), CVE-2016-8740, and CVE-2016-1546.

Mitigations

• nginx: Upgrade to 1.29.8+; if not possible, set http2 off;
• Apache httpd: Apply mod_http2 v2.0.41 from the standalone releases; otherwise set Protocols http/1.1 to disable HTTP/2
• Microsoft IIS / Envoy / Cloudflare Pingora: No patch available at time of writing disable HTTP/2 or front with a proxy enforcing a hard per-request header count cap
• All servers: Cap per-worker memory via cgroups, ulimit -v, or container limits an OOM-killed worker that respawns is a far better failure mode than a machine pushed into swap

The research team concludes the vulnerability class reflects a specification defect in RFC 7541. Section 7.3 frames memory risk solely as an amplification ratio and treats SETTINGS_HEADER_TABLE_SIZE as a sufficient bound.

It does not account for per-entry bookkeeping overhead; the amplification in this exploit comes entirely from allocator metadata around nearly empty headers, bypassing every decoded-size limit. Five independent implementations read the same section and shipped the same bug.

PoC scripts, Docker labs, and per-server writeups are available at the Codex GitHub repository. The researcher Quang Luong will present the techniques at the Real World AI Security conference at Stanford in June 2026.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP