A new denial-of-service vulnerability, the 'HTTP/2 Bomb,' can rapidly deplete server memory. This attack affects default HTTP/2 configurations on several major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
OpenAI's Codex software agent under the guidance of researchers at cybersecurity firm Calif discovered the attack. The HTTP/2 Bomb combines HPACK compression amplification with Slowloris-style resource retention through HTTP/2 flow-control stalling. A single client engaging a 100 Mbps connection can consume tens of gigabytes of server RAM within seconds.
"A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds," according to researchers at Calif. The attack causes one byte sent by an attacker to trigger thousands of bytes of server-side memory allocation, with expansion ratios reaching 5,700:1 for Envoy and 4,000:1 for Apache httpd.
Attackers prevent memory release by advertising a zero-byte flow-control window, which compels servers to send periodic WINDOW_UPDATE frames to avoid timeouts instead of completing requests. This method bypasses defenses that limit total decoded header sizes by using small header values and amplifying internal per-header bookkeeping allocations. Testing showed Envoy 1.37.2 exhausted 32 GB of RAM in about 10 seconds, while Apache httpd 2.4.67 exhausted 32 GB in roughly 18 seconds. Nginx 1.29.7 utilized 32 GB in approximately 45 seconds, and IIS on Windows Server 2025 consumed 64 GB in roughly 45 seconds.
"What's new here is where the amplification comes from. The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size. Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it," Calif states. The attack potentially impacts over 880,000 websites that support HTTP/2 and run default configurations. The technique was previously tracked as CVE-2016-6581, with related issues resolved in Apache HTTP Server 2.4.64 under CVE-2025-53020.
The exploit leverages previously disclosed vulnerabilities CVE-2016-8740 and CVE-2016-1546. "The other thing worth noting is how this exploit was found. Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack," according to Calif. Technical information about the HTTP/2 Bomb attack will be presented by researcher Quang Luong at the Real World AI Security conference.
Nginx version 1.29.8 addressed the vulnerability by adding a max_headers directive. Apache httpd mod_http2 version 2.0.41 also addressed the vulnerability, which received the identifier CVE-2026-49975. Security patches are unavailable for Microsoft IIS, Envoy, or Cloudflare Pingora. For unpatched servers, recommendations include disabling HTTP/2 or deploying network proxies and firewalls that enforce strict header-count limits.