1. Home
    2.  » 
  2. Posts
    3.  » 

HTTP/2 Bomb: One Client Can Kill Your Server in 10 Seconds

#2
#security
#cve-2026-49975
#nginx
#apache
#dos
#server-hardening

The HTTP/2 Bomb dropped this week. CVE-2026-49975 chains two decade-old attack techniques into something nastier than the sum of its parts. An AI coding assistant helped find it. Your server is probably vulnerable right now.

How It Works

HTTP/2 has a header compression scheme called HPACK. The Bomb abuses it by inserting a tiny header into the dynamic table, then referencing it thousands of times via one-byte indices.

One byte in. Thousands of bytes allocated. Envoy hits 5,700:1 amplification. Apache manages 4,000:1. This is just the first punch.

The second technique is pure Slowloris energy. The attacker manipulates HTTP/2 flow control to stall memory release. The server sits there holding all that allocated memory, waiting to send data. It sends occasional frames to keep the connection alive. The memory never frees. It just grows.

A single client on a 100 Mbps pipe can grab 32GB of RAM in 10 seconds on Envoy. Apache falls in 18 seconds. Nginx lasts about 45 seconds. IIS? Also 45 seconds, but it chews through 64GB.

Who Is Affected

Pretty much everyone running HTTP/2 with default configs:

ServerPatch StatusAction
NGINXPatched in 1.29.8Upgrade now
Apache httpdPatched in mod_http2 2.0.41Upgrade now
Microsoft IISNo patchDisable HTTP/2 or proxy
EnvoyUnknownDisable HTTP/2 or proxy
Cloudflare PingoraNo patchDisable HTTP/2 or proxy

The vulnerable behavior exists in default configurations across all of them. You did not misconfigure anything. The protocol implementation is just broken.

Disable HTTP/2 Now (If You Cannot Patch)

NGINX (before 1.29.8):

server {
    listen 443 ssl;
    # http2 off;
}

Apache:

Protocols http/1.1

Microsoft IIS:

# PowerShell - disable HTTP/2
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" -Name "EnableHttp2Tls" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" -Name "EnableHttp2Cleartext" -Value 0
Restart-Service -Name "W3SVC"

Why This Matters

This is not theoretical. The vulnerability was discovered by OpenAI Codex, an AI coding agent, under guidance from Calif researchers. An AI found this by chaining known attacks together.

What happens when bad actors point similar tools at your infrastructure? HTTP/2 has been a security minefield.

The protocol was designed for speed, not safety. Default configurations prioritize performance over resource limits. The result? A single connection can OOM your box.

Bottom Line

Patch NGINX to 1.29.8+. Patch Apache mod_http2 to 2.0.41+. If you run IIS, Envoy, or Pingora, disable HTTP/2 today and put a hardened proxy in front. The Bomb is simple to execute and requires no authentication.

References

You Might Like:

Securing your homelab with UFW (the right way)
Running services at home without a firewall is like leaving your front door wide open and hoping …
BeyondTrust Gets Hit Again: Pre-Auth RCE in Remote Support Tools
BeyondTrust Remote Support and Privileged Remote Access have a critical pre-authentication RCE bug. …
Frigate NVR Command Injection Bug Allowed Admin-Level RCE (CVE-2026-25643)
Frigate has long been positioned as a privacy-first, self-hosted camera solution. However, …
Microsoft's Notepad Got Pwned (They Added AI To It, So...)
Remember when Notepad was just… Notepad? A simple text editor nobody asked to be modernized? …