HTTP/2 Bomb: How an AI-Discovered Flaw Crashes NGINX, Apache and IIS

An AI-discovered HTTP/2 flaw lets a single attacker exhaust 32GB of memory on NGINX, Apache, IIS, Envoy and Cloudflare servers using near-empty requests.
A single attacker on an ordinary home broadband connection can exhaust 32 gigabytes of memory on a production web server in under 20 seconds, using requests that are almost entirely empty. That is the power of the "HTTP/2 Bomb," a remote denial-of-service technique disclosed on 3 June 2026 that affects nearly every major web server on the internet: nginx, Apache HTTP Server, Microsoft IIS, Envoy and Cloudflare's Pingora. What makes it a landmark is not only its lopsided economics, but its origin, it was discovered by OpenAI's Codex, which stitched two attack techniques the security community has known for a decade into something genuinely new.
What the HTTP/2 Bomb is
The Bomb is a memory-exhaustion denial-of-service attack. Rather than flooding a target with bandwidth, it tricks the server into allocating, and then refusing to release, enormous amounts of memory in response to traffic that is tiny on the wire. It chains two well-understood techniques: an HPACK header-compression bomb to inflate the server's memory use, and a Slowloris-style hold to keep that memory pinned.
How it works
1. The HPACK compression bomb
HTTP/2 compresses headers with a scheme called HPACK, which maintains a "dynamic table" of recently seen headers so they can be referenced by a short index instead of being re-sent in full. The Bomb seeds that table with a single entry, then fires thousands of one-byte indexed references to it. Each reference costs the attacker just one byte on the wire, but forces the server to allocate roughly 70 to 4,000 bytes of internal bookkeeping. The headers themselves are nearly empty; the amplification comes entirely from the per-entry structures the server builds around them, which sidesteps the decoded-size limits servers use to stop classic compression bombs. Where a server caps the number of header fields, the attack splits a single cookie into many individual fields, something RFC 9113 explicitly permits, to slip past count-based defences.
2. The Slowloris-style hold
Amplification alone is not enough, because a server would normally finish the request and reclaim the memory. So the second half borrows from the 2009 "Slowloris" attack: the client advertises a zero-byte flow-control window, telling the server it cannot receive the response yet, so the server holds everything in memory. To stop the connection timing out, the attacker dribbles a single one-byte WINDOW_UPDATE frame periodically, resetting the timer and pinning every allocation in place for as long as the server's timeout allows.
The numbers are brutal
Calif.io's proof-of-concept measured how much memory one client could pin against each server, and the amplification ratios are severe:
- Envoy 1.37.2, about a 5,700:1 amplification ratio; ~32 GB consumed in roughly 10 seconds.
- Apache httpd 2.4.67, about 4,000:1; ~32 GB in roughly 18 seconds.
- Microsoft IIS, about 68:1; ~64 GB in roughly 45 seconds.
- nginx 1.29.7, about 70:1; ~32 GB in roughly 45 seconds.
Researchers estimate that more than 880,000 public web portals currently run a vulnerable HTTP/2 configuration.
Who is affected, and what is fixed
- nginx, patched in version 1.29.8, which adds a new max_headers directive capping headers at 1,000 by default.
- Apache HTTP Server, fixed in mod_http2 v2.0.41. The Apache variant was assigned CVE-2026-49975, disclosed on 27 May 2026 and patched the same day by maintainer Stefan Eissing.
- Microsoft IIS, Envoy and Cloudflare Pingora, no patch existed at the time of disclosure. The published guidance is to disable HTTP/2 or place strict header and connection limits in front of affected services until fixes land.
A pattern: HTTP/2's decade of denial-of-service
The Bomb is the latest entry in a now-familiar series. HTTP/2's performance features, multiplexing, header compression, flow control, keep turning into attack surface:
- Rapid Reset (CVE-2023-44487, 2023) abused stream cancellation to drive record-breaking floods of up to roughly 400 million requests per second.
- CONTINUATION Flood (2024) exploited never-ending CONTINUATION header frames, often needing only a single connection.
- MadeYouReset (CVE-2025-8671, 2025), from Tel Aviv University, tricked servers into resetting their own streams to exhaust resources.
Each abuses a different corner of the same specification. The Bomb continues the theme, but turns the dial away from noisy bandwidth floods toward quiet, low-bandwidth memory exhaustion that a single machine can sustain.
The twist: an AI found it
The most striking part of this case is the discoverer. The Bomb was found not by a human researcher but by OpenAI's Codex, which recognised that two publicly documented techniques, the HPACK compression bomb and the Slowloris hold, each roughly a decade old, could be composed into a single, far more powerful attack. Neither component was secret; the novelty was the combination. It is one of the clearest public examples yet of an AI system surfacing a real, exploitable flaw in widely deployed infrastructure by reasoning across known building blocks, a preview of how both offensive and defensive security research are likely to change.
Where to learn more
The vulnerability was disclosed publicly on the oss-security mailing list on 3 June 2026, with a full technical write-up and proof-of-concept published by the research firm Calif.io. Apache operators should track CVE-2026-49975 and their vendor's mod_http2 advisory; nginx operators should consult the 1.29.8 changelog and the new max_headers directive. Primary sources are linked below.
Frequently Asked Questions
What is the HTTP/2 Bomb?
A remote denial-of-service technique that abuses HTTP/2's HPACK header compression and flow control to make a server allocate and hold huge amounts of memory in response to tiny, nearly empty requests, letting one attacker exhaust tens of gigabytes in seconds.
Which web servers are affected?
nginx, Apache HTTP Server, Microsoft IIS, Envoy and Cloudflare Pingora. nginx (1.29.8) and Apache (mod_http2 2.0.41) shipped fixes; IIS, Envoy and Pingora had no patch at disclosure.
Why does it matter that Codex found it?
It is a prominent example of an AI system discovering a genuine vulnerability in core internet infrastructure by combining long-known techniques, signalling a shift in how vulnerabilities may be found in future.