New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

Overview

Security researchers have identified a newly disclosed Denial-of-Service (DoS) attack technique, dubbed HTTP/2 Bomb, which targets systems using the HTTP/2 protocol and can rapidly exhaust server memory, leading to service disruption and application outages. The vulnerability affects the default HTTP/2 configurations of several widely deployed web servers and reverse proxies, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.

The attack can be launched from a single machine with relatively low bandwidth requirements. By exploiting weaknesses in HTTP/2 header compression (HPACK) and flow-control mechanisms, attackers can force vulnerable servers to allocate excessive amounts of memory while preventing those resources from being released. As a result, a single attacker with modest resources can consume tens of gigabytes of server memory within seconds, potentially rendering web applications and services unavailable to legitimate users. This low-cost, high-impact attack poses a significant risk to organizations operating internet-facing HTTP/2-enabled services and web infrastructure.

Threat Details :

 Vulnerability Name: HTTP/2 Bomb

CVE ID: CVE-2026-49975

Severity: High

Vulnerability Type: Denial of Service (DoS)

Affected Component: HTTP/2 Protocol Implementations

Attack Vector: Network (Unauthenticated)

Public PoC Availability: Security research details publicly available

Exploitation Status: Publicly disclosed; exploitation feasible with low attacker resources

 The HTTP/2 Bomb attack combines two known HTTP/2 attack techniques:

 1. HPACK Compression Amplification

• HTTP/2 uses a compression mechanism called HPACK to reduce header size.
• Attackers can abuse this feature by sending very small requests that trigger disproportionately large memory allocations on the server.
• In some cases, a single byte sent by an attacker can result in thousands of bytes of memory being allocated by the server.

2. HTTP/2 Flow-Control Stalling 

• After forcing memory allocation, attackers prevent the server from completing the connection and releasing the allocated resources.
• This is achieved by manipulating HTTP/2 flow-control mechanisms, causing memory consumption to continue growing over time.
• Periodic 1-byte WINDOW_UPDATE frames keep the connection alive and prevent timeout expiration.
   

The combination allows memory consumption to accumulate indefinitely until resource exhaustion occurs.

Researchers demonstrated that a single system connected through a 100 Mbps internet connection could consume up to 32 GB of server memory in less than 20 seconds on some platforms.

A Proof-of-Concept (PoC) exploit for the attack has already been published, increasing the likelihood of exploitation attempts.

 How it Affects:

An attacker can send specially crafted HTTP/2 requests to a vulnerable server and trigger excessive memory allocation.

As memory consumption increases:

• Server resources become exhausted.
• Applications may become slow or unresponsive.
• Legitimate users may be unable to access websites or services.
• Servers may crash or require manual intervention to recover.
• Business-critical web applications may experience downtime.

Unlike traditional volumetric DDoS attacks, HTTP/2 Bomb does not require large amounts of network traffic, making it difficult to detect based solely on bandwidth usage.

Who It Affects

This vulnerability affects organizations that:

• Expose HTTP/2-enabled web services to untrusted clients.
• Use vulnerable default configurations.
• Operate affected web servers directly on the Internet.
• Do not enforce strict header count limitations.

Organizations hosting public-facing web applications, APIs, reverse proxies, load balancers, and edge services are particularly exposed.

Its Impact :

Successful exploitation can:

• Cause complete service outages.
• Exhaust server memory within seconds.
• Prevent legitimate users from accessing applications.
• Trigger server instability or crashes.
• Increase operational and recovery costs.
• Impact customer experience and business operations.

Targeted Products:

Indicators of compromise: 

There are currently no publicly available Indicators of Compromise (IOCs) specifically associated with HTTP/2 Bomb exploitation.

However, Security teams should monitor for:

Network Indicators

• Large numbers of HTTP/2 connections from a single source.
• Unusually long-lived HTTP/2 sessions.
• Repeated HTTP/2 requests with abnormal header patterns.

Server Indicators

• Rapid memory consumption without corresponding traffic increases.
• Unexpected spikes in RAM utilization.
• HTTP/2 worker process exhaustion.
• Application slowdowns or crashes.
• Increased numbers of stalled or incomplete HTTP/2 requests.

Log Indicators

• Excessive HTTP/2 stream creation.
• Persistent HTTP/2 connections that remain open for extended periods.
• Resource exhaustion warnings in web server logs.

Recommendations

 Organizations should take the following actions immediately:

 1. Apply Vendor Updates

• Upgrade NGINX to version 1.29.8 or later.
• Upgrade Apache mod_http2 to version 2.0.41 or later.
• Upgrade Envoy to the latest patched release.

2. Disable HTTP/2 Where Possible

For systems without available fixes, consider disabling HTTP/2 until vendor guidance becomes available.

3. Implement Reverse Proxy or WAF Protection

Deploy security controls that:

• Enforce strict header count limits.
• Inspect and filter malformed HTTP/2 traffic.
• Restrict abnormal connection behavior.

4.Implement Rate Limiting

• Restrict excessive HTTP/2 connections and streams per client.
• Apply connection throttling at load balancers and WAFs.

References:

• New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute
• Codex Discovered a Hidden HTTP/2 Bomb
• New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare