TechOptima Ignite
TechOptima Solutions (636) 777-7702

HTTP/2 Bomb

June 9, 2026

Irresponsibly disclosed DoS that exhausts memory on major HTTP/2 servers.

An independent researcher (using OpenAI’s Codex) discovered and publicly released “HTTP/2 Bomb,” a remote denial-of-service attack that works against the default configurations of nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare’s Pingora. The attack chains an HPACK header-compression bomb with a zero-byte flow-control window (Slowloris-style hold).

A single client can force a server to allocate and permanently lock tens of gigabytes of RAM—one byte on the wire expands into a full header allocation, repeated thousands of times. Memory remains locked even after the attack stops, enabling low-and-slow campaigns. A home computer on a 100 Mbps link can render a vulnerable server inaccessible in seconds; a botnet of only 10–100 bots can take down large services.

Shodan shows more than 880,000 public HTTP/2 sites running affected software (many behind CDNs). The researcher filed an advisory on May 27 and published full details on June 2, drawing criticism for skipping coordinated multi-vendor disclosure through VINCE. Envoy fixed the issue quickly, but the short embargo and public PoC were widely viewed as irresponsible.

Tags: SECURITY | DOS

Source: sn-1082-notes.pdf

← Back to Blog