They call it the HTTP/2 Bomb, and it does what the name suggests: it drains a web server’s memory within seconds. The flaw, tracked as CVE-2026-49975, affects the default HTTP/2 setup of the most widely deployed servers on the internet: Apache httpd, nginx, Microsoft IIS, Envoy and Cloudflare Pingora.
How it works
The attack stitches together two techniques that had each been public for a decade. The first is a compression bomb over HPACK, HTTP/2’s header compression scheme. A single byte sent by the attacker turns into a full header allocation on the server, repeated thousands of times inside one request. Amplification ratios reach 5,700:1 on Envoy and 4,000:1 on Apache httpd.
The second part is a Slowloris-style trick against HTTP/2 flow control. The client advertises a zero-byte flow-control window, so the server never gets to free the memory it has already reserved. Memory goes in and never comes out.
Put together, the numbers are ugly. In the researchers’ tests a single client exhausted 32 GB of RAM in about 10 seconds against Envoy 1.37.2, about 18 seconds against Apache httpd 2.4.67, and about 45 seconds against nginx 1.29.7. On IIS running Windows Server 2025 it consumed 64 GB in roughly 45 seconds. A home machine on a 100 Mbps line is enough to make a vulnerable server unreachable.
Who is affected
Any server with HTTP/2 enabled and left unpatched. A Shodan sweep found more than 880,000 sites serving HTTP/2 with one of these servers. Many sit behind a CDN, which makes the attack much harder, but anything exposing the origin server directly is a direct target.
The severity is high. There’s no data theft or code execution here, but a full service outage caused by a single unauthenticated attacker, with no user interaction and a trivial network cost.
Who found it
The discovery comes from offensive security firm Calif. The interesting part is that both halves of the attack were already known; the new bit was realizing they compose. According to the researchers, the OpenAI Codex model spotted the combination while reading the server codebases and noticing that the two problems fit together, something no one had paired against these servers in ten years.
Mitigation and patches
If you run web servers, check your version and update:
- nginx: fixed in 1.29.8, which adds the
max_headersdirective with a default cap of 1000 headers per request. - Apache httpd: the patch ships in
mod_http22.0.41, available in the standalone module releases and in httpd trunk.
At disclosure time, IIS, Envoy and Pingora had no patch available. For those, cap headers and per-connection memory at the load balancer or WAF in front, or serve behind a CDN that already filters the pattern. A public PoC is on GitHub, so the window to patch is closing fast.