‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds

Summary

Security researchers have discovered HTTP/2 Bomb, a denial-of-service exploit that chains together HPACK compression bombs with Slowloris-style memory exhaustion attacks to rapidly take down major web servers. The attack affects over 880,000 websites running default configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora and can be launched from a home computer on a 100 Mbps connection. While the underlying techniques are not new (some dating back a decade), the novel combination was identified using OpenAI's Codex and demonstrates how AI can detect previously overlooked attack chains.

Full text

Known denial-of-service (DoS) techniques can be chained together in a new exploit that can knock major web servers offline, Calif security researchers warn. Dubbed HTTP/2 Bomb and discovered using OpenAI’s Codex, the exploit combines a compression bomb that targets HTTP/2’s header compression scheme (HPACK) with a Slowloris-style hold that prevents the server from freeing memory. According to California-based cybersecurity firm Calif, the attack potentially affects over 880,000 websites that support HTTP/2 and run default NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora configurations. Furthermore, the company says, an attack can be launched from a home computer on a 100 Mbps connection and can render any of these servers unavailable within seconds. The techniques chained by the exploit are not new. In fact, three of the underlying issues were disclosed a decade ago, while another was resolved last year. The first part of the exploit uses HPACK Bomb (tracked as CVE-2016-6581), a compression-layer attack relying on small messages that turn into gigabytes of data once they reach the destination server.Advertisement. Scroll to continue reading. Last year, the attack was demonstrated against Apache HTTPD with a 4000x amplification rate, and was resolved in Apache HTTP Server version 2.4.64 as CVE-2025-53020. The second part of the new exploit targets CVE-2016-8740 and CVE-2016-1546 (Slow Read), two Apache HTTPD flaws leading to DoS conditions via Continuation frames in an HTTP/2 request and via modified flow-control windows. These HTTP/2 Slowloris-type issues are abused for memory exhaustion by advertising a zero-byte flow-control window so that the server does not send a response, and then resetting the send timeout to prevent the server from freeing memory allocations. “What’s new here is where the amplification comes from. The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size,” Calif notes. “Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there’s almost nothing to decode,” the company explains. Calif also identified a bypass for servers that cap the header-field count, and released proof-of-concept (PoC) code to demonstrate the attack. The company says NGINX resolved the bug in April, while Apache rolled out fixes in late May (and issued CVE-2026-49975). Microsoft IIS, Envoy, and Cloudflare Pingora have not been patched at the time of writing. “The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers,” Calif notes. Related: Exploit Code Published for Critical Flowise RCE Vulnerability Related: PoC Released for DirtyDecrypt Linux Kernel Vulnerability Related: PoC Code Published for Critical NGINX Vulnerability Related: BeyondTrust Vulnerability Targeted by Hackers Within 24 Hours of PoC Release Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Critical Vulnerability in HP VoIP Phones Enables Enterprise Network BreachesMeta AI Hands Over High-Profile Instagram Accounts to HackersSupply Chain Attack Hits 32 Red Hat NPM PackagesOracle’s First Monthly Patches Resolve 77 VulnerabilitiesWP Maps Pro Vulnerability Exploited to Take Over WordPress SitesDutch Police Dismantle Massive 17-Million-Device BotnetCritical Windows Netlogon Vulnerability in Attackers’ Crosshairs19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access Latest News Organizations Warned of Exploited Linux Kernel VulnerabilityMicrosoft Tries to Calm Legal Threat Fears After Zero-Day Disclosure BacklashTrump Signs Executive Order That Invites Vetting of Top AI Models for National Security RisksTwo New Reports Offer Competing Explanations for Cybersecurity’s Growing CrisisExclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskAndroid Update Patches Exploited Zero-Day, 123 Other VulnerabilitiesAnthropic Expanding Mythos Access to 150 New OrganizationsThe Zero-Knowledge Threat Actor and the End of Responsible Disclosure Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Roundtable: CISO Forum 2026 Mid-Year Review June 10, 2026 Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks. Register People on the MoveRapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board.Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter.CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.More People On The MoveExpert Insights The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2016-6581
• cve — CVE-2025-53020
• cve — CVE-2016-8740
• cve — CVE-2016-1546
• cve — CVE-2026-49975

Entities