Researchers say a new HTTP/2 attack chain can knock major web servers offline within seconds, potentially affecting more than 880,000 websites using default configurations. The technique combines an HPACK header-compression bomb with Slowloris-style connection holding to exhaust memory; it builds on CVE-2016-6581, CVE-2016-8740, CVE-2016-1546, Apache's 2025 fix CVE-2025-53020, and newly assigned Apache CVE-2026-49975. NGINX reportedly fixed the issue in April, Apache in late May, while Microsoft IIS, Envoy, and Cloudflare Pingora had not yet been patched at publication.
Why it matters: Organizations running internet-facing HTTP/2 servers could be taken offline by a relatively low-resource attacker, so this is operationally urgent even though it is a denial-of-service issue rather than data theft. Admins should review vendor advisories, apply available fixes for NGINX and Apache, and add mitigations or rate-limiting for IIS, Envoy, and Pingora until patches arrive.
2026.06.09
63% relevant
It ties Microsoft's June patch release to the previously disclosed HTTP/2 Bomb research by stating that Microsoft fixed CVE-2026-49160 in HTTP.sys and introduced a MaxHeadersCount registry mitigation for HTTP/2 and HTTP/3 requests.
Lawrence Abrams
2026.06.09
93% relevant
This directly updates the HTTP/2 Bomb story by confirming Microsoft patched the related Windows HTTP.sys denial-of-service issue as CVE-2026-49160 and added a MaxHeadersCount mitigation setting and KB5102602 guidance.
2026.06.04
98% relevant
This article is another report on the same HTTP/2 Bomb attack chain, adding details that OpenAI Codex helped Calif researchers chain older HPACK bomb and Slowloris-style techniques, and updating patch status for nginx, Apache, Envoy, Microsoft IIS, and Cloudflare Pingora.
Bill Toulas
2026.06.03
98% relevant
This article is a direct report on the same HTTP/2 Bomb event, adding concrete exploitation results, affected versions, patch status, and the Apache CVE assignment (CVE-2026-49975), plus noting that nginx 1.29.8 fixes the issue while IIS, Envoy, and Pingora remain unpatched.
Ionut Arghire
2026.06.03
100% relevant
This article appears to be the first report establishing the newly named HTTP/2 Bomb exploit chain, including affected products, CVE references, patch status, and public proof-of-concept details.
← Back to all stories