Critical DoS Vulnerability 'HTTP/2 Bomb' Uncovered! Major Web Servers Face Shutdown in Seconds

A new DoS attack method dubbed 'HTTP/2 Bomb,' stemming from the HTTP/2 protocol, has been discovered. This vulnerability, found by U.S. security firm Calif using OpenAI's coding assistant tool 'Codex,' impacts major web servers such as Nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. It's reportedly capable of taking down services in just a few seconds, even from a consumer-grade PC. This article explains the overview, impact of this severe vulnerability, and the urgent countermeasures engineers should take.

Vulnerability Overview and Scope of Impact

'HTTP/2 Bomb' (CVE-2026-49975) is a DoS attack that exploits HPACK, the header compression method of HTTP/2, and a flow control mechanism similar to Slowloris. Attackers can rapidly exhaust server memory with minimal traffic, leading to service disruption. It is particularly dangerous because default HTTP/2 server configurations are susceptible, and unauthenticated attackers can easily execute it remotely.

Specific Impact and Attack Scenarios

This attack exploits the header compression (HPACK) mechanism provided by HTTP/2, repeatedly sending short index references of about 1 byte thousands of times to trigger thousands of times more memory allocation on the server side. Furthermore, by combining this with a Slowloris-like technique that maintains the connection without intentionally receiving responses from the server, the allocated memory is occupied for extended periods without being released. As a result, even a single client can cause a web server to run out of memory, eventually leading to a crash or unresponsiveness. In Japan, it has been reported that Sakura Internet is performing emergency maintenance, including a provisional switch from HTTP/2 to HTTP/1.1, as they scramble to address the issue.

Immediate Countermeasures for Engineers

Addressing this vulnerability is urgent. Depending on the status of your current web server, please promptly consider and implement the following countermeasures.

1. Update Web Servers or Disable HTTP/2

Fixes have already been provided for Nginx and Apache HTTP Server. We recommend updating Nginx to version 1.29.8 or later, and Apache to mod_http2 v2.0.41 or later. If updating is difficult, temporarily disabling HTTP/2 can prevent attacks. For Microsoft IIS, Envoy, and Cloudflare Pingora, as patches are not publicly available at the time of writing, disabling HTTP/2 is the most practical mitigation.

# NginxでHTTP/2を無効化する場合
# serverブロック内の "listen" ディレクティブから "http2" を削除します。
# 例:
# listen 443 ssl http2;
# 上記を以下のように変更:
listen 443 ssl;

# Nginx 1.29.8+でHTTP/2を有効にしつつヘッダ制限を強化する場合 (推奨)
# httpブロック内に以下を追加:
# http {
#     http2_max_field_headers 1000;
#     http2_max_header_size 8k;
# }

For Apache HTTP Server, you can disable HTTP/2 by making the following changes in your configuration file (e.g., httpd.conf).

# Apache HTTP ServerでHTTP/2を無効化する場合
# Protocolsディレクティブをhttp/1.1のみに設定します。
Protocols http/1.1

2. Monitor and Limit Memory Usage

Continuously monitor the memory usage of web server processes and set up alerts to detect abnormal increases. It is also crucial to properly configure memory limits using `ulimit` or in container environments to prevent a single worker process from exhausting the entire system's memory.

3. Protection via WAFs and Reverse Proxies

If you have implemented a Web Application Firewall (WAF) or a reverse proxy (such as HAProxy), review your settings to detect and block HTTP/2 header limits or abnormal flow control. While HAProxy is considered less susceptible to this vulnerability, strengthening your edge defense can prevent attacks from reaching your backend servers.

References and Official Patch Information