HTTP/2 Bomb: How an AI-Discovered Flaw Crashes NGINX, Apache and IIS

An AI-discovered HTTP/2 flaw lets a single attacker exhaust 32GB of memory on NGINX, Apache, IIS, Envoy and Cloudflare servers using near-empty requests.

A single attacker on an ordinary home broadband connection can exhaust 32 gigabytes of memory on a production web server in under 20 seconds — using requests that are almost entirely empty. That is the power of the "HTTP/2 Bomb," a remote denial-of-service technique disclosed on 3 June 2026 that affects nearly every major web server on the internet: nginx, Apache HTTP Server, Microsoft IIS, Envoy and Cloudflare's Pingora. What makes it a landmark is not only its lopsided economics, but its origin — it was discovered by OpenAI's Codex, which stitched two attack techniques the security community has known for a decade into something genuinely new.

What the HTTP/2 Bomb is

The Bomb is a memory-exhaustion denial-of-service attack. Rather than flooding a target with bandwidth, it tricks the server into allocating — and then refusing to release — enormous amounts of memory in response to traffic that is tiny on the wire. It chains two well-understood techniques: an HPACK header-compression bomb to inflate the server's memory use, and a Slowloris-style hold to keep that memory pinned.

How it works

1. The HPACK compression bomb

HTTP/2 compresses headers with a scheme called HPACK, which maintains a "dynamic table" of recently seen headers so they can be referenced by a short index instead of being re-sent in full. The Bomb seeds that table with a single entry, then fires thousands of one-byte indexed references to it. Each reference costs the attacker just one byte on the wire — but forces the server to allocate roughly 70 to 4,000 bytes of internal bookkeeping. The headers themselves are nearly empty; the amplification comes entirely from the per-entry structures the server builds around them, which sidesteps the decoded-size limits servers use to stop classic compression bombs. Where a server caps the number of header fields, the attack splits a single cookie into many individual fields — something RFC 9113 explicitly permits — to slip past count-based defences.

2. The Slowloris-style hold

Amplification alone is not enough, because a server would normally finish the request and reclaim the memory. So the second half borrows from the 2009 "Slowloris" attack: the client advertises a zero-byte flow-control window, telling the server it cannot receive the response yet, so the server holds everything in memory. To stop the connection timing out, the attacker dribbles a single one-byte WINDOW_UPDATE frame periodically, resetting the timer and pinning every allocation in place for as long as the server's timeout allows.

The numbers are brutal

Calif.io's proof-of-concept measured how much memory one client could pin against each server, and the amplification ratios are severe:

Envoy 1.37.2 — about a 5,700:1 amplification ratio; ~32 GB consumed in roughly 10 seconds.
Apache httpd 2.4.67 — about 4,000:1; ~32 GB in roughly 18 seconds.
Microsoft IIS — about 68:1; ~64 GB in roughly 45 seconds.
nginx 1.29.7 — about 70:1; ~32 GB in roughly 45 seconds.

Researchers estimate that more than 880,000 public web portals currently run a vulnerable HTTP/2 configuration.

Who is affected, and what is fixed

nginx — patched in version 1.29.8, which adds a new max_headers directive capping headers at 1,000 by default.
Apache HTTP Server — fixed in mod_http2 v2.0.41. The Apache variant was assigned CVE-2026-49975, disclosed on 27 May 2026 and patched the same day by maintainer Stefan Eissing.
Microsoft IIS, Envoy and Cloudflare Pingora — no patch existed at the time of disclosure. The published guidance is to disable HTTP/2 or place strict header and connection limits in front of affected services until fixes land.

A pattern: HTTP/2's decade of denial-of-service

The Bomb is the latest entry in a now-familiar series. HTTP/2's performance features — multiplexing, header compression, flow control — keep turning into attack surface:

Rapid Reset (CVE-2023-44487, 2023) abused stream cancellation to drive record-breaking floods of up to roughly 400 million requests per second.
CONTINUATION Flood (2024) exploited never-ending CONTINUATION header frames, often needing only a single connection.
MadeYouReset (CVE-2025-8671, 2025), from Tel Aviv University, tricked servers into resetting their own streams to exhaust resources.

Each abuses a different corner of the same specification. The Bomb continues the theme — but turns the dial away from noisy bandwidth floods toward quiet, low-bandwidth memory exhaustion that a single machine can sustain.

The twist: an AI found it

The most striking part of this case is the discoverer. The Bomb was found not by a human researcher but by OpenAI's Codex, which recognised that two publicly documented techniques — the HPACK compression bomb and the Slowloris hold, each roughly a decade old — could be composed into a single, far more powerful attack. Neither component was secret; the novelty was the combination. It is one of the clearest public examples yet of an AI system surfacing a real, exploitable flaw in widely deployed infrastructure by reasoning across known building blocks — a preview of how both offensive and defensive security research are likely to change.

Where to learn more

The vulnerability was disclosed publicly on the oss-security mailing list on 3 June 2026, with a full technical write-up and proof-of-concept published by the research firm Calif.io. Apache operators should track CVE-2026-49975 and their vendor's mod_http2 advisory; nginx operators should consult the 1.29.8 changelog and the new max_headers directive. Primary sources are linked below.

Frequently Asked Questions

What is the HTTP/2 Bomb?

A remote denial-of-service technique that abuses HTTP/2's HPACK header compression and flow control to make a server allocate and hold huge amounts of memory in response to tiny, nearly empty requests — letting one attacker exhaust tens of gigabytes in seconds.

Which web servers are affected?

nginx, Apache HTTP Server, Microsoft IIS, Envoy and Cloudflare Pingora. nginx (1.29.8) and Apache (mod_http2 2.0.41) shipped fixes; IIS, Envoy and Pingora had no patch at disclosure.

Why does it matter that Codex found it?

It is a prominent example of an AI system discovering a genuine vulnerability in core internet infrastructure by combining long-known techniques, signalling a shift in how vulnerabilities may be found in future.