New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

2026-06-03

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

A critical HTTP/2 vulnerability called HTTP/2 Bomb has been discovered affecting major web servers like NGINX, Apache, IIS, Envoy, and Cloudflare Pingora.

•The attack combines a compression bomb technique with a Slowloris-style hold, exploiting HPACK header compression to cause memory exhaustion
•One byte transmitted becomes one full header allocation on the server, repeated thousands of times per request
•A zero-byte flow-control window prevents the server from freeing allocated memory
•A single client can consume 32GB of server memory in approximately 20 seconds against Apache HTTPD and Envoy
•NGINX patched the vulnerability in version 1.29.8+ with the max_headers directive; Apache httpd was fixed in mod_http2 v2.0.41; Microsoft IIS, Envoy, and Cloudflare Pingora remain unpatched

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows

Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

Veeam Backup & Replication RCE Flaw Lets Domain Users Run Remote Code

Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues