HTTP/2 Bomb Vulnerability Can Crash Major Web Servers

Security researchers have identified a new denial-of-service attack called the “HTTP/2 Bomb” that can crash major web servers in seconds ^[1].

The vulnerability is critical because it targets the core infrastructure of the internet. By exploiting the way servers handle data compression and flow control, attackers can force a system to collapse without needing a massive botnet of computers.

The attack targets several widely used web servers, including NGINX, Apache, IIS, Envoy, and Cloudflare ^[1], ^[2]. It works by chaining two known denial-of-service techniques: the abuse of HPACK header compression and HTTP/2 flow-control ^[1], ^[3]. This combination forces a server to allocate an immense amount of memory to handle a request that it cannot actually process.

Researchers said a single client can cause a server to allocate up to 32 GB of memory ^[1]. This memory exhaustion can be triggered in approximately 20 seconds ^[1]. In some instances, the attack can take down a web server in just a few seconds ^[4].

Because the attack focuses on memory exhaustion rather than bandwidth saturation, it is particularly difficult to detect with traditional traffic-monitoring tools. The server attempts to follow the HTTP/2 protocol rules, but the specific sequence of requests creates a resource loop that consumes all available RAM, leading to an immediate system crash.

Researchers discovered the vulnerability in June 2026 ^[1], ^[4]. They said that the efficiency of the HTTP/2 protocol is precisely what the attack abuses to slow down or stop server performance ^[3].