New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

HTTP/2 Bomb is a remote DoS vulnerability affecting NGINX, Apache HTTPD, IIS, Envoy, and Cloudflare Pingora. Attackers can exhaust server memory (32GB in seconds) by sending crafted HTTP/2 requests that exploit HPACK compression and flow-control mechanisms. Unpatched servers are at immediate risk of service disruption from a single attacker.

CRITICALAdvisoryJun 04, 2026

Action required

Immediately patch NGINX to v1.29.8+ and Apache HTTPD mod_http2 to v2.0.41+. For IIS, Envoy, and Cloudflare Pingora: implement rate limiting on HTTP/2 connections and monitor for sudden memory spikes. If patching is delayed, consider temporarily disabling HTTP/2 on exposed services.

Affected products

NGINXApache HTTPDMicrosoft IISEnvoyCloudflare Pingora

Linked articles

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

Source links

https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html