Security researchers at offensive security firm Calif, working with OpenAI’s Codex software agent, have disclosed a new denial-of-service attack technique dubbed the HTTP/2 Bomb — a memory-exhaustion attack that can crash major web servers in under a minute using nothing more than a home internet connection. Disclosed on 2–3 June 2026 and assigned CVE-2026-49975, the attack exploits the default HTTP/2 configurations of NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora — a list that encompasses a significant proportion of all production web infrastructure on the internet. The attack’s most alarming characteristic is its efficiency: a single machine on a 100 Mbps connection can exhaust tens of gigabytes of server RAM in under a minute, rendering the target inaccessible without requiring a large botnet or significant bandwidth resources.
What Makes HTTP/2 Bomb Different?
The HTTP/2 Bomb is not a single new vulnerability — it is a chain of two well-known, decade-old HTTP/2 weaknesses that had never been combined into a single exploit before. Both component techniques have been public knowledge since approximately 2016. What Codex did — and what makes this disclosure significant — is recognize that the two techniques compose into an attack far more effective than either alone, and then build the combined exploit against five major server platforms. As the Calif researchers noted: “Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers.”
The disclosure is also notable for a second reason: it is one of the first high-impact security vulnerabilities to be discovered by an AI system rather than a human researcher — a milestone that carries significant implications for the future of both offensive security research and defensive tooling.
The Technical Mechanism: How the Attack Works
Understanding the HTTP/2 Bomb requires understanding two components of the HTTP/2 protocol that it abuses:
Component 1: HPACK Compression Amplification
HPACK is the header compression mechanism used by HTTP/2. It works by maintaining a dynamic table of previously seen header values. When a header that is already in the table needs to be sent again, it can be referenced by a compact index rather than transmitted in full. A reference can be as small as one byte, but when the server processes it, it expands the reference back to the full header value — potentially kilobytes or more of data.
The classic HPACK bomb (CVE-2016-6581) exploited this by stuffing a large value into the table and then referencing it repeatedly. Servers learned to defend against this by capping the total decoded header size — so a simple reference bomb no longer works. The HTTP/2 Bomb uses a more sophisticated approach: instead of one large value referenced many times, it uses many distinct small entries that each reference differently encoded fragments, bypassing the per-header-size cap while still producing massive server-side memory allocation. The amplification ratios demonstrated in testing are extraordinary: Envoy at 5,700:1 and Apache httpd at 4,000:1 — meaning one byte of attacker traffic results in 4,000 to 5,700 bytes of server-side memory allocation.
Component 2: Slowloris-Style Flow-Control Hold
The HPACK amplification alone would be dangerous — but allocated memory eventually gets freed when requests complete and connections close. The second component of the HTTP/2 Bomb prevents the memory from being released. HTTP/2 uses flow-control windows to regulate how much data can be in flight between client and server. An attacker can advertise a zero-byte flow-control window — telling the server “I am not ready to receive data yet.” The server, rather than responding and releasing the connection, enters a waiting state where it periodically sends tiny WINDOW_UPDATE frames to avoid triggering timeout mechanisms.
In this state, the request is never completed, the connection is never closed, and the memory allocated during HPACK decompression is never freed. Each new request from the attacker allocates more memory. Memory accumulates indefinitely until the server runs out of RAM and becomes unavailable. This is a Slowloris-type attack pattern applied to HTTP/2 flow control — hence the researchers’ description of the technique as “HPACK amplification + HTTP/2 Slowloris.”
Combined Effect: The Numbers
When both components are combined, the effect is dramatic. From Calif’s published research:
- A home computer on a 100 Mbps connection can render a vulnerable server inaccessible within seconds to under a minute
- Against Apache httpd and Envoy, a single client can consume and hold 32 GB of server memory in approximately 20 seconds
- The attack affects the default HTTP/2 configuration of all five tested platforms — no misconfiguration or unusual setup required
- An estimated 880,000+ publicly accessible websites support HTTP/2 and run default configurations of the affected servers
Affected Platforms and CVE Assignment
| Server / Platform | Status | Fix Details |
|---|---|---|
| NGINX | Patched | Fixed in version 1.29.8 — new max_headers directive introduced |
| Apache HTTP Server | Patched | Fixed in mod_http2 v2.0.41 — CVE-2026-49975 assigned; cookie fragments now count toward request field limits |
| Microsoft IIS | Unpatched at disclosure | Maintainer notified; no patch available at time of disclosure |
| Envoy | Unpatched at disclosure | Maintainer notified; worst amplification ratio (5,700:1) |
| Cloudflare Pingora | Unpatched at disclosure | Maintainer notified; no patch available at time of disclosure |
The CVE identifier CVE-2026-49975 was assigned by Apache and carries a CVSS 3.1 base score of 7.5 (High), reflecting the unauthenticated, network-exploitable denial-of-service impact with no user interaction required.
The AI Discovery Angle: What It Means
The method of discovery is as significant as the vulnerability itself. OpenAI’s Codex software agent, directed by Calif researchers, identified the attack by reading the HTTP/2 server codebases and recognizing that two known-but-separately-considered vulnerability classes composed into a single effective exploit. This is exactly the kind of cross-codebase, combinatorial reasoning that is computationally tractable for a sufficiently capable AI system but has historically been difficult for human researchers working under time and cognitive constraints.
The security community has long anticipated that AI-assisted vulnerability research would become a significant force — both for defenders identifying and patching vulnerabilities faster, and for attackers discovering new ones. The HTTP/2 Bomb represents a concrete, documented example of an AI system making a meaningful security discovery that human researchers had not made despite the component techniques being public knowledge for ten years. It will not be the last.
Mitigation and Protection
Organizations running any of the five affected platforms should take the following steps based on their current patch status:
For NGINX and Apache Users (Patches Available)
- Upgrade NGINX to version 1.29.8 or later immediately
- Upgrade Apache’s mod_http2 to version 2.0.41 or later
- Verify the
max_headersdirective is configured in NGINX after upgrade
For IIS, Envoy, and Pingora Users (No Patch Yet)
- Disable HTTP/2 where feasible. Serving HTTP/1.1 only removes the attack surface entirely, at the cost of performance. For internal services or low-traffic endpoints, this may be the best immediate option.
- Place a patched reverse proxy in front. If you have an unpatched backend server, fronting it with a patched NGINX instance that enforces hard header-count limits provides meaningful protection.
- Apply WAF rules targeting HPACK header flooding. Some WAF configurations can detect and rate-limit the anomalous HPACK patterns that characterize this attack.
- Enforce memory limits on worker processes. Configuring worker process memory limits means a single attack connection cannot exhaust all server RAM — it can kill a worker, but the server itself recovers rather than becoming completely unavailable.
For All Organizations
Systems running behind CDNs or properly configured reverse proxies may be indirectly protected — the HTTP/2 connection terminates at the CDN/proxy edge, which may not pass through the malicious HPACK patterns to the backend. However, this depends entirely on the specific CDN and proxy configuration. Do not assume CDN protection without verifying. This type of infrastructure-level attack is also a strong argument for having proper load balancing architecture with multiple server instances, so a DoS against one instance does not take down an entire service — and for ensuring your web server management practices include active monitoring of memory consumption at the worker process level.
Conclusion
The HTTP/2 Bomb is a technically elegant attack — combining two decade-old, individually well-understood techniques into a new composite exploit that affects a significant portion of the internet’s web server infrastructure. Its discovery by an AI system rather than a human researcher is a landmark moment that the security industry should take seriously as an indicator of the capabilities that AI-assisted vulnerability research will bring to both attackers and defenders going forward.
Organizations running NGINX or Apache should patch immediately. Organizations running IIS, Envoy, or Pingora should implement the available mitigations — disabling HTTP/2, enforcing memory limits, and placing patched proxies in front of vulnerable backends — while waiting for patches from their respective maintainers. The combination of wide impact, ease of exploitation from minimal resources, and the AI-discovery angle makes CVE-2026-49975 one of the more significant infrastructure vulnerabilities disclosed in 2026.
Leave a Reply