A devastating new denial-of-service (DoS) attack method dubbed HTTP/2 Bomb has been discovered, capable of crippling major web servers from a single home computer in under a minute. Uncovered by cybersecurity firm Calif using an AI agent, the exploit poses a critical threat to over 880,000 websites globally by taking advantage of default configurations in widely deployed software.
The vulnerability, tracked under CVE-2026-49975, targets the foundational memory management layers of the internet’s most trusted server environments.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
The Mechanics of the ‘Inverse’ Compression Bomb
Unlike traditional volumetric attacks that rely on overwhelming network bandwidth, the HTTP/2 Bomb is a resource-starvation exploit. It functions by weaponizing HPACK, the native header compression scheme utilized by the HTTP/2 protocol to minimize metadata sizes.
Historically, “compression bombs” stuffed massive values into a data table to expand exponentially upon arrival, forcing modern servers to enforce strict limits on decoded header sizes. The HTTP/2 Bomb elegantly circumvents this defense.
Instead of large values, the attacker transmits nearly empty headers. The exploit relies on the internal “bookkeeping” and per-entry memory allocation that the server constructs around each field. Because the actual decoded data size remains miniscule, standard safety thresholds are never triggered, allowing thousands of allocations to bypass security checks effortlessly.
Stalling Flow Control to Pin Server Memory
The true lethality of the exploit lies in its second phase: a Slowloris-style hold that abuses HTTP/2 flow control mechanisms. Once the server has been forced to allocate massive amounts of internal memory to process the flooded headers, the attacker advertises a zero-byte flow-control window.
This command strictly prohibits the server from sending its response, effectively pausing the connection loop. By periodically sending tiny, one-byte update frames, the attacker resets the connection timeouts. The server is trapped in an indefinite hold, unable to clear its cache or free up the pinned memory blocks.
Vulnerable Ecosystems and Immediate Mitigations
The threat surface for the exploit spans the baseline architecture of the modern web. During controlled testing, researchers demonstrated that a single attacker operating on a standard 100 Mbps home connection could completely exhaust 32 GB of server RAM in 10 to 18 seconds.
The performance metrics and patch availability status across major server platforms highlight the immediate risks:
- Envoy: Suffers rapid RAM exhaustion (32 GB in approximately 10 seconds) and remains currently unpatched and vulnerable.
- Apache HTTPD: Experiences memory failure (32 GB in approximately 18 seconds); a patch is available in mod_http2 version 2.0.41.
- NGINX: Encounters server crashes (32 GB in approximately 45 seconds); an official patch has been rolled out in version 1.29.8 and higher.
- Microsoft IIS: Showcases memory depletion (64 GB in approximately 45 seconds) and is currently unpatched and vulnerable.
- Cloudflare Pingora: Demonstrates rapid resource starvation under default states and is currently unpatched and vulnerable.
While NGINX and Apache HTTPD rolled out immediate patches to limit maximum header counts and fix internal booking bugs, Microsoft IIS, Envoy, and Cloudflare’s Pingora proxy framework remain highly vulnerable in their default states.
Network administrators managing unpatched architectures are urged to immediately enforce hard limits on concurrent header fields. If immediate firmware upgrades are not an option, cybersecurity agencies recommend entirely disabling the HTTP/2 protocol to fall back onto stable HTTP/1.1 pipelines until official patches are deployed.
