FeedApplication SecurityNew “HTTP/2 Bomb” attack can exhaust server memory in second...
Application SecurityCyber Insider
9.0CRITICAL

New “HTTP/2 Bomb” attack can exhaust server memory in seconds

📅 3 June 2026 at 10:55 UTC📰 Cyber InsiderView original source ↗
New “HTTP/2 Bomb” attack can exhaust server memory in seconds

Researchers have disclosed a new denial-of-service (DoS) technique dubbed HTTP/2 Bomb, a memory-exhaustion attack that can render major web servers inaccessible within seconds. The attack affects the default HTTP/2 configurations of nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. The attack was discovered by Codex and publicly disclosed on June 2, 2026. Researchers … The post New “HTTP/2 Bomb” attack can exhaust server memory in seconds appeared first on CyberInsider.

🤖 AI BriefingAuto-generated threat analysis
🔍Threat Overview

A new denial-of-service (DoS) technique, HTTP/2 Bomb, can exhaust server memory in seconds by combining two known HTTP/2 abuse techniques, targeting HPACK header compression and flow control.

⚙️Technical Details
Affected Systems
nginxApache HTTP ServerMicrosoft IISEnvoyCloudflare Pingora
Attack Vectors
HPACK-based memory amplification with HTTP/2 flow-control stalling
💥Impact Assessment
Severity: critical
🛡️Recommended Actions
1Upgrade affected software where patches are available
2Disable HTTP/2 if not possible
3Enforce hard limits on header counts and apply memory limits to worker processes
📦Affected Products
nginxApache HTTP ServerMicrosoft IISEnvoyCloudflare Pingora

Read the full article

This is a curated summary. The complete article is available at Cyber Insider.

Read on Cyber Insider
← Back to feed