Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ai-discovered (3 articles)Clear

HTTP/2 Bomb: single 100Mbps client crashes NGINX, Apache, IIS, Envoy, Cloudflare Pingora in seconds - found by OpenAI Codex agent

Offensive-security firm Calif, with discovery work performed by OpenAI's Codex software agent, has disclosed HTTP/2 Bomb, a denial-of-service attack that crashes web servers from a single machine in seconds. It works against default HTTP/2 configurations of NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora. The technique combines HPACK header-compression amplification (one attacker byte triggering thousands of bytes of server allocation, up to 5,700:1 on Envoy) with Slowloris-style flow-control stalling via zero-byte windows that prevents the memory from ever being freed. A home computer on a 100 Mbps link can force Apache or Envoy to hold 32 GB of RAM in roughly 20 seconds, bypassing existing header-size defenses.

Check
Inventory internet-facing web servers and proxies running HTTP/2 (NGINX, Apache, IIS, Envoy, Cloudflare Pingora). Monitor for sudden per-connection memory spikes and stalled HTTP/2 streams with zero-window flow control.
Affected
Default HTTP/2 configurations of NGINX, Apache, IIS, Envoy, and Cloudflare Pingora. A single 100 Mbps client can hold 32 GB of server RAM in ~20 seconds, bypassing header-size limits.
Fix
Apply vendor HTTP/2 patches and mitigations as released. Cap per-connection memory and concurrent streams, enforce flow-control timeouts, and rate-limit HTTP/2 connections. Consider disabling HTTP/2 on exposed servers until patched.

Autonomous AI tool finds 2-year-old Redis use-after-free RCE CVE-2026-23479 - most cloud Redis runs passwordless, exploit public

Team Xint Code has disclosed CVE-2026-23479, a use-after-free remote code execution flaw in Redis that sat unnoticed in every stable branch from 7.2.0 until the May 5 fixes - over two years. The bug lives in unblockClientOnKey(), which keeps using a client pointer after processCommandAndResetClient() can free it. Exploitation needs an authenticated session, but Wiz's analysis finds Redis in most cloud environments with the majority running passwordless, where the default user already holds every privilege the exploit chain requires. The published exploit leaks a heap pointer via Lua, reclaims a freed client with a fake structure, and overwrites a GOT entry to repoint strcasecmp() at system(). NVD rates it 8.8.

Check
Inventory Redis instances and confirm version is past the May 5 fix. Identify passwordless or internet-reachable deployments. Audit for unexpected Lua EVAL activity and child processes spawned by redis-server.
Affected
Redis 7.2.0 through the May 5 fixes (over two years of stable branches). Exploitation needs an authenticated session, but most cloud Redis runs passwordless with the all-privileged default user.
Fix
Upgrade Redis to the patched release. Require authentication and strong ACLs, bind to localhost or private networks, never expose Redis to the internet. Enable full RELRO when building images.

NGINX Rift: 18-year-old heap overflow in the rewrite module lets anyone on the internet crash or take over an NGINX server (CVE-2026-42945)

An AI-discovered bug hidden in NGINX since 2008 lets anyone on the internet crash NGINX worker processes or, with ASLR disabled, run code on the server using a single crafted HTTP request. The flaw, named NGINX Rift (CVE-2026-42945, CVSS 9.2), sits in the rewrite module that powers URL rewriting in almost every NGINX deployment. It triggers when a config uses a rewrite directive with unnamed regex captures and a question mark, followed by another rewrite, if, or set directive - a common pattern in API gateway setups. NGINX runs roughly a third of the websites on the public internet.

Check
Grep your NGINX configs for rewrite directives that combine unnamed captures ($1, $2) with question marks in the replacement, and inventory the NGINX version on every reverse proxy you operate.
Affected
NGINX Open Source 0.6.27 through 1.30.0; NGINX Plus R32 through R36; NGINX Instance Manager, App Protect WAF, Gateway Fabric, and Ingress Controller across multiple versions.
Fix
Upgrade NGINX Open Source to 1.31.0 or 1.30.1; NGINX Plus users to R36 P4 or R32 P6. If patching is delayed, swap unnamed captures for named captures ((?<name>...)) in every affected rewrite directive.