HTTP/2 Bomb: Just a home network can bring down servers in seconds

Camy Le
3 days ago
2 min read

A researcher at the cybersecurity firm Calif has just discovered a severe threat named HTTP/2 Bomb, which directly threatens the default configurations of the world's most popular web servers, such as NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.

Alarmingly, without requiring massive zombie networks (botnets), a single attacker with a standard home internet connection (100Mbps bandwidth) can force a server to exhaust tens of gigabytes of memory in just a few seconds.

HTTP/2 Bomb directly threatens the default configurations of the world's most popular web servers, such as NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.

"Malicious" Mechanism: When Empty Headers Turn into Weapons

Typically, the HTTP/2 protocol uses the HPACK algorithm to compress headers (headers - additional information of the network request) to save bandwidth. The server stores these headers in a dynamic table; the sender only needs to send a 1-byte index to recall that header.

Previous compression attacks usually stuffed massive data into headers, causing modern servers to set up size limit barriers for prevention. To "evade" this barrier, the HTTP/2 Bomb goes in the opposite direction: sending nearly empty headers.

The attacker sends thousands of 1-byte references in a single request. The transmission bandwidth is nearly zero, but the server has to consume an overhead for hidden memory management around each item (ranging from 70 bytes for NGINX, IIS, and Pingora to around 4,000 bytes for Apache and Envoy).

Immediately after detonating the "memory bomb," the attacker applies a flow control mechanism to advertise a 0-byte receive window, blocking the server from completing the response. Combined with continuously sending 1-byte WINDOW_UPDATE adjustment signals to extend the timeout, the attacker can pin down these memory areas for as long as they want. A single client can hold up to 32GB of memory on Apache or Envoy within just 20 seconds, turning a temporary overload into permanent paralysis.

According to data from Shodan, there are currently more than 880,000 public websites supporting HTTP/2 that are at risk of being exploited by this vulnerability.

Microsoft June 2026 Patch Tuesday: Over 200 flaws and 3 Zero-days fixed

Specification Flaws and Emergency Solutions

The research team concluded that the root of the threat stems from the international standard document RFC 7541 (on HPACK) itself. This document only perceives memory risks based on the decompressed data size while completely ignoring the operational management overhead incurred on each small header item. The fact that five independent server systems made the exact same mistake demonstrates this design flaw. The attack variant targeting Apache HTTPD has been designated with the vulnerability ID CVE-2026-49975 (after being responsibly reported on May 27, 2026) and has been patched by engineer Stefan Eissing. To protect systems against the HTTP/2 Bomb and related vulnerability codes (such as CVE-2016-6581, CVE-2025-53020), administrators need to immediately implement the following recommendations:

NGINX: Update to version 1.29.8+ to add the max_headers directive (default limit of 1,000 headers). If upgrading is not yet possible, disable HTTP/2 using the http2 off; command.
Apache HTTPD: Update to version mod_http2 v2.0.41. A temporary workaround is to configure Protocols http/1.1 to disable HTTP/2.
Microsoft IIS, Envoy, and Cloudflare Pingora: There is no official patch at the time of publication. Organizations are recommended to deploy additional web application firewalls (WAF/WAAP) to promptly detect and prevent anomalous exploitation behaviors.