{"id":13337,"date":"2026-06-03T10:04:16","date_gmt":"2026-06-03T10:04:16","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/03\/http-2-bomb-remote-dos-exploit-hits-nginx-apache-iis-envoy-and-cloudflare-pingora\/"},"modified":"2026-06-03T10:04:16","modified_gmt":"2026-06-03T10:04:16","slug":"http-2-bomb-remote-dos-exploit-hits-nginx-apache-iis-envoy-and-cloudflare-pingora","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/03\/http-2-bomb-remote-dos-exploit-hits-nginx-apache-iis-envoy-and-cloudflare-pingora\/","title":{"rendered":"HTTP\/2 Bomb \u2014 Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora"},"content":{"rendered":"

HTTP\/2 Bomb \u2014 Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A newly disclosed remote denial-of-service exploit dubbed \u201cHTTP\/2 Bomb\u201d targets the default HTTP\/2<\/a> configurations of the world\u2019s most widely deployed web servers, nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora, enabling a single attacker on a home internet connection to exhaust tens of gigabytes of server memory in seconds.<\/p>\n

The exploit was discovered by researcher Quang Luong using Codex and chaining two techniques that have individually been known to the security community for nearly a decade: an HPACK compression bomb and a Slowloris-style connection hold.<\/p>\n

What makes this variant novel is not the primitives themselves, but the precise way they are combined and, critically, where the amplification originates.<\/p>\n

HTTP\/2 Bomb Remote DoS Exploit<\/strong><\/h2>\n

HPACK (RFC 7541<\/a>) is HTTP\/2\u2019s stateful header compression scheme. Each peer maintains a dynamic table of recently seen headers; a sender can insert a header once and subsequently reference it with a single-byte index.<\/p>\n

The receiver must materialize a full copy of that header on every reference. According to Jun Rong and Duc Phan,\u00a0the exploit seeds the dynamic table with one header, then emits thousands of 1-byte indexed references in a single request, costing the attacker one wire byte while forcing the server to allocate anywhere from ~70 bytes (nginx, IIS, Pingora) to ~4,000 bytes (Apache httpd, Envoy) per reference.<\/p>\n

The second component exploits HTTP\/2 per-stream flow control (RFC 9113<\/a>). The client advertises a zero-byte flow-control window, preventing the server from ever finishing its response.<\/p>\n

A trickle of 1-byte WINDOW_UPDATE<\/code> frames continuously resets the send timeout, pinning every memory allocation in place for as long as the attacker wishes turning a transient amplification into a persistent memory hold.<\/p>\n

\"Attack
Attack on Multiple OS<\/figcaption><\/figure>\n
\n\n\n\n\n\n\n\n\n
Server<\/th>\nAmplification<\/th>\nDemo Result<\/th>\n<\/tr>\n<\/thead>\n
Envoy 1.37.2<\/td>\n~5,700:1<\/td>\n~32 GB in ~10s<\/td>\n<\/tr>\n
Apache httpd 2.4.67<\/td>\n~4,000:1<\/td>\n~32 GB in ~18s<\/td>\n<\/tr>\n
nginx 1.29.7<\/td>\n~70:1<\/td>\n~32 GB in ~45s<\/td>\n<\/tr>\n
Microsoft IIS (Windows Server 2025)<\/td>\n~68:1<\/td>\n~64 GB in ~45s<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

A Shodan analysis identified 880,000+ public-facing websites supporting HTTP\/2 and running one of these servers, though many are fronted by CDNs that reduce direct exposure, Quang Luong said<\/a>.<\/p>\n

For servers that cap header-field count rather than decoded size (Apache, Envoy), the exploit uses a Cookie<\/code> header bypass. RFC 9113 \u00a78.2.3 explicitly permits splitting a Cookie header into one field per crumb. Neither Apache nor Envoy was counting those crumbs against field limits.<\/p>\n

Envoy appends each crumb into a buffer; a 4 KB cookie value referenced 32,768 times produces a logical ~3,600:1 ratio, with measured RSS ratios reaching ~5,700:1 on a single stream once allocator overhead accumulates. Apache httpd rebuilds the entire merged cookie string on every crumb, leaving older copies live until stream cleanup, yielding ~4,000:1 even for an empty cookie.<\/p>\n

The Apache httpd variant was assigned CVE-2026-49975 following responsible disclosure on May 27, 2026, with a same-day fix committed by Stefan Eissing. The nginx fix shipped in version 1.29.8, importing the max_headers<\/code> directive with a default ceiling of 1,000 headers.<\/p>\n

Prior related CVEs include CVE-2016-6581 (original HPACK Bomb, coined by Cory Benfield), CVE-2025-53020 (Apache httpd ~4,000:1 amplification, Gal Bar Nahum), CVE-2016-8740, and CVE-2016-1546.<\/p>\n

Mitigations<\/strong><\/h2>\n