Full Report
Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The vulnerability has been codenamed HTTP/2 Bomb by Calif. "The vulnerable behavior exists in each server's default HTTP/2 configuration," the company said, adding it was discovered by OpenAI Codex by chaining
Analysis Summary
# Vulnerability: HTTP/2 Bomb (HPACK Bookkeeping Exhaustion)
## CVE Details
- **CVE ID:** Not explicitly assigned in the article (References related flaws: CVE-2016-6581, CVE-2025-53020, CVE-2016-8740, CVE-2016-1546)
- **CVSS Score:** Not Provided (Estimated Critical/High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption) / CWE-770 (Allocation of Resources Without Limits or Throttling)
## Affected Systems
- **Products:** NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.
- **Versions:**
- **NGINX:** Versions prior to 1.29.8.
- **Apache HTTPD:** Versions prior to mod_http2 v2.0.41.
- **IIS/Envoy/Pingora:** All versions currently supporting HTTP/2 (as of June 2026).
- **Configurations:** Default HTTP/2 configurations are vulnerable.
## Vulnerability Description
The "HTTP/2 Bomb" is a remote Denial-of-Service (DoS) vulnerability that exploits the HPACK header compression scheme. Unlike traditional compression bombs that fill the header table with large values, this variant uses nearly empty headers.
The attack exploits the "per-entry bookkeeping" memory that servers allocate for every header received. By sending thousands of tiny headers per request, the attacker bypasses "decoded-size" limits (which only look at the content size, not the metadata overhead). The attacker then uses a "Slowloris" technique—a zero-byte flow-control window—to prevent the server from sending a response, effectively pinning the allocated memory and exhausting server resources.
## Exploitation
- **Status:** PoC described; identified via OpenAI Codex research.
- **Complexity:** Low
- **Attack Vector:** Network
- **Performance:** A single home computer (100Mbps) can consume 32GB of server memory in approximately 20 seconds.
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Complete server unresponsiveness/crash due to memory exhaustion)
## Remediation
### Patches
- **NGINX:** Upgrade to **1.29.8+**. This version introduces the `max_headers` directive (defaulted to 1000) to limit bookkeeping.
- **Apache HTTPD:** Upgrade to **mod_http2 v2.0.41**.
- **Microsoft IIS, Envoy, Cloudflare Pingora:** No patches available at the time of the report.
### Workarounds
- **Disable HTTP/2:**
- **NGINX:** Set `http2 off;` in configuration.
- **Apache:** Set `Protocols http/1.1` to force the exclusion of the h2 protocol.
- **General:** Disable HTTP/2 support on load balancers or edge gateways if the backend cannot be patched.
## Detection
- **Indicators of Compromise:** High memory utilization paired with a high number of persistent HTTP/2 connections from single IP addresses that transmit very little data.
- **Detection Methods:** Monitor for HTTP/2 sessions with an abnormally high number of header entries but low total byte count for decoded headers. Watch for "zero-window" flow control signals maintained for extended periods.
## References
- **Calif Disclosure:** hxxps[://]blog[.]calif[.]io/p/codex-discovered-a-hidden-http2-bomb
- **NGINX:** hxxps[://]nginx[.]org
- **Apache mod_h2:** hxxps[://]github[.]com/icing/mod_h2/releases
- **The Hacker News Article:** hxxps[://]thehackernews[.]com/2026/06/new-http2-bomb-vulnerability-allows[.]html