Security experts have identified a new exploit, known as the HTTP/2 Bomb, capable of swiftly disabling major web servers. This threat, revealed by Calif security researchers, combines known denial-of-service (DoS) techniques to impact thousands of websites.
Understanding the HTTP/2 Bomb Exploit
Discovered with the help of OpenAI’s Codex, the HTTP/2 Bomb utilizes a compression bomb targeting HTTP/2’s header compression scheme (HPACK) alongside a Slowloris-style attack. These techniques work together to prevent servers from releasing memory, causing them to crash.
The Calif-based cybersecurity firm warns that this exploit could affect over 880,000 websites using HTTP/2 with default configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora. Even a home computer with a 100 Mbps connection can launch an attack, rendering target servers unresponsive in seconds.
Technical Details of the Exploit
The HTTP/2 Bomb combines several previously known vulnerabilities. The first, identified as CVE-2016-6581, involves an HPACK Bomb. This attack uses small messages that expand significantly in size when processed by the server. Notably, last year an attack demonstrated against Apache HTTPD achieved a 4000x amplification rate. Apache resolved this in version 2.4.64 as CVE-2025-53020.
The second part exploits CVE-2016-8740 and CVE-2016-1546, targeting Apache HTTPD flaws to create DoS conditions via HTTP/2 request Continuation frames and altered flow-control windows. These tactics lead to memory exhaustion by minimizing server response and manipulating timeouts.
Current Responses and Future Implications
Calif notes that the novel aspect of this exploit is its amplification strategy. Unlike traditional methods, their variant utilizes minimal headers, increasing server load through bookkeeping processes. NGINX has patched this vulnerability as of April, while Apache issued fixes in May (CVE-2026-49975). However, Microsoft IIS, Envoy, and Cloudflare Pingora are still vulnerable.
The discovery process highlights the power of AI in cybersecurity. OpenAI’s Codex identified and combined the separate, decade-old vulnerabilities, resulting in this new threat. This underscores the need for continuous vigilance and innovation in cybersecurity measures.
For more on similar vulnerabilities, see related research on Flowise RCE, DirtyDecrypt Linux Kernel, and NGINX exploits.
