{"id":225118,"date":"2026-06-03T04:33:00","date_gmt":"2026-06-03T08:33:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/03\/new-http-2-bomb-vulnerability-allows-remote-dos-on-nginx-apache-iis-envoy-cloudflare\/"},"modified":"2026-06-03T08:45:29","modified_gmt":"2026-06-03T12:45:29","slug":"new-http-2-bomb-vulnerability-allows-remote-dos-on-nginx-apache-iis-envoy-cloudflare","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/03\/new-http-2-bomb-vulnerability-allows-remote-dos-on-nginx-apache-iis-envoy-cloudflare\/","title":{"rendered":"New HTTP\/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy &#038; Cloudflare"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html\"><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html\">New HTTP\/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy &#038; Cloudflare<\/a><\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html\">https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-03 04:33:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802Jun 03, 2026Vulnerability \/ Server Security<br \/>\nCybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.<\/p>\n<p>The vulnerability has been codenamed HTTP\/2 Bomb by Calif.<\/p>\n<p>&#8220;The vulnerable behavior exists in each server&#8217;s default HTTP\/2 configuration,&#8221; the company said, adding it was discovered by OpenAI Codex by chaining together two known techniques: a compression bomb and a Slowloris-style hold.<\/p>\n<p>&#8220;The bomb targets HPACK, HTTP\/2&#8217;s header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request,&#8221; Calif added. &#8220;The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it.&#8221;<\/p>\n<p>HPACK is a dedicated header compression algorithm for HTTP\/2 used for compressing request and response metadata using Huffman encoding that results in an average reduction of 30% in header size. It&#8217;s also designed to be resilient to attacks like CRIME (short for &#8220;Compression Ratio Info-leak Made Easy&#8221;) that can leak authentication cookies from compressed headers.<\/p>\n<p>Slowloris, on the other hand, is a type of denial-of-service (DoS) attack that allows a threat actor to overwhelm a targeted server by opening and maintaining many simultaneous HTTP connections between the attacker and the target. It is an application-layer attack.<\/p>\n<p>HTTP\/2 Bomb is inspired by various known approaches like HPACK Bomb (aka CVE-2016-6581), which was first disclosed in 2016, as well as CVE-2025-53020, a memory exhaustion vulnerability in Apache httpd&#8217;s HTTP\/2 implementation, and two DoS flaws in Apache HTTP Server triggered via crafted CONTINUATION frames (CVE-2016-8740) and worker-thread starvation (CVE-2016-1546) in an HTTP\/2 connection.<\/p>\n<p>&#8220;What&#8217;s new here is where the amplification comes from,&#8221; Calif said. &#8220;The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size. Our variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there&#8217;s almost nothing to decode.&#8221;<\/p>\n<p>In a hypothetical attack scenario, a home computer on a 100Mbps connection has the potential to render a vulnerable server inaccessible within seconds. What&#8217;s more, a single client can consume and hold 32GB of server memory against Apache HTTPD and Envoy in about 20 seconds.<\/p>\n<p>To counter the vulnerability, it&#8217;s advised to apply the following mitigations &#8211;<\/p>\n<p>  NGINX &#8211; Upgrade to 1.29.8+, which adds the max_headers directive with a default of 1000. If upgrade is not an option, it&#8217;s recommended to disable HTTP\/2 with http2 off;.<br \/>\n  Apache HTTPD &#8211; Fixed in mod_http2 v2.0.41. If upgrade is not an option, it&#8217;s recommended to set Protocols http\/1.1 to disable HTTP\/2.<br \/>\n  Microsoft IIS, Envoy, and Cloudflare Pingora &#8211; No patch available as of writing.<\/p>\n<p>&#8220;The deeper miss is that the spec frames memory risk purely as an amplification ratio, and ratio is only half the equation,&#8221; Calif said. &#8220;A 70:1 amplifier is harmless if the memory is freed when the request completes. It becomes an attack because HTTP\/2 lets the client hold the connection open almost for free, pinning every allocated byte for as long as they like.&#8221;<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New HTTP\/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy &#038; Cloudflare https:\/\/thehackernews.com\/2026\/06\/new-http2-bomb-vulnerability-allows.html&#8230;<\/p>\n","protected":false},"author":1,"featured_media":225119,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhP07q0cgsa0a9VyTU6oPpxqvoZ5Gg2spx-ClmUIzn9LjYzDfuKNxnLXNuXMexiMB8GjKewhk7CnAL5HXgpCL_wq5eaU8VK2mTxxcKJHAZ9eLBskg516sBn4SV5XHWOuZIozDzBD_0MUCAMcVpGyqOEWITNKi2mQFxFLl9gqg_3UxPlwmXCkRfm2JERftyN\/s1600\/http2.gif","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,34,27],"class_list":["post-225118","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/225118"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=225118"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/225118\/revisions"}],"predecessor-version":[{"id":225120,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/225118\/revisions\/225120"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/225119"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=225118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=225118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=225118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}