A new HTTP/2 denial-of-service method called HTTP/2 Bomb can crash major web servers from a single machine by combining HPACK compression amplification with flow-control stalling. Researchers found it can exhaust huge amounts of memory on NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora, with some fixes already available for nginx and Apache. #HTTP2Bomb #NGINX #ApacheHTTPServer #MicrosoftIIS #Envoy #CloudflarePingora #CVE-2026-49975
Keypoints
- HTTP/2 Bomb can take down servers within seconds from a single client.
- It combines HPACK amplification and HTTP/2 flow-control stalling.
- One byte of attacker traffic can trigger thousands of bytes of server memory use.
- Envoy, Apache httpd, nginx, and IIS were all shown to be affected.
- nginx and Apache have fixes, while IIS, Envoy, and Pingora still lack patches.