HTTP/2 Bomb Shows How Fast AI Can Chain Old Flaws
June 7, 2026
The HTTP/2 Bomb attack chain can knock vulnerable web servers offline through memory pressure. The bigger shock is the short path from old ideas to a new exploit.
What this is about
Security researchers at Calif disclosed a denial-of-service technique called HTTP/2 Bomb in early June 2026. Several security reports say the attack chain was found with help from OpenAI Codex and affects common HTTP/2 implementations including Apache httpd, nginx, Envoy, Microsoft IIS, and Cloudflare Pingora.
This matters because it is not about obscure niche software. HTTP/2 sits inside web servers, proxies, APIs, and platforms that carry production services every day.
What HTTP/2 Bomb actually does
The attack chain combines two older ideas in a new way: HPACK header compression and Slowloris-style stream holding. Small amounts of data on the wire can create much larger memory objects inside the server. The connection behavior then prevents that memory from being released quickly.
For Apache, CVE-2026-49975 is named; Envoy tracks a related weakness separately in follow-up reports. The practical question is therefore not only the CVE number, but the exact HTTP/2 component, version, and configuration.
Why it matters
A memory-exhaustion outage hits availability directly: shops, logins, APIs, payment flows, and internal dashboards. Radware reports that one system on a 100 Mbps connection can be enough to make vulnerable servers inaccessible within seconds. Such lab numbers are not universal for every environment, but they show the direction of the risk.
The second point is strategic: if AI tools can combine patch diffs and old attack ideas faster, the time between fix, public analysis, and working exploit gets shorter.
In plain language
Imagine someone checks in a tiny note at a cloakroom, but the staff internally treats it as 1,000 heavy suitcases. Then the same person blocks the exit so nobody can clear the suitcases away. The room fills up even though almost nothing came in from outside.
A practical example
A SaaS provider runs 40 public APIs behind Envoy and Apache. If only 10 endpoints terminate HTTP/2 with vulnerable header handling, an attacker can target those front ends. The incident team then has to patch and also map where HTTP/2 actually terminates: load balancer, CDN, service mesh, or application server.
Scope and limits
- Not every HTTP/2 installation is equally vulnerable; version, component, and header limits matter.
- Many reports blur CVE-2026-49975 with related implementation failures.
- Production testing with proof-of-concepts can cause outages and belongs only in authorized labs or maintenance windows.
SEO & GEO keywords
HTTP/2 Bomb, CVE-2026-49975, HPACK, Apache httpd, nginx, Envoy, Microsoft IIS, Cloudflare Pingora, OpenAI Codex, denial of service, web server security
π‘ In plain English
HTTP/2 Bomb uses small requests that trigger and hold large server-side memory use. Teams should not only search for one CVE, but check every place where HTTP/2 terminates.
Key Takeaways
- βCalif disclosed HTTP/2 Bomb in early June 2026.
- βThe technique combines HPACK amplification with held HTTP/2 streams.
- βApache is linked to CVE-2026-49975; other stacks have related risks.
- βPatching and configuration checks depend on the exact server.
- βThe discovery shows how AI can accelerate the exploit cycle.
FAQ
Is every HTTP/2 server affected?
No. Implementation, version, configuration, and where HTTP/2 terminates all matter.
What is CVE-2026-49975?
Public reporting mainly links it to the Apache httpd part of the HTTP/2 Bomb family.
Should teams test the PoC in production?
No. A denial-of-service PoC can cause outages and belongs in authorized test environments.