Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: http2 (2 articles)Clear

HTTP/2 Bomb: single 100Mbps client crashes NGINX, Apache, IIS, Envoy, Cloudflare Pingora in seconds - found by OpenAI Codex agent

Offensive-security firm Calif, with discovery work performed by OpenAI's Codex software agent, has disclosed HTTP/2 Bomb, a denial-of-service attack that crashes web servers from a single machine in seconds. It works against default HTTP/2 configurations of NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora. The technique combines HPACK header-compression amplification (one attacker byte triggering thousands of bytes of server allocation, up to 5,700:1 on Envoy) with Slowloris-style flow-control stalling via zero-byte windows that prevents the memory from ever being freed. A home computer on a 100 Mbps link can force Apache or Envoy to hold 32 GB of RAM in roughly 20 seconds, bypassing existing header-size defenses.

Check
Inventory internet-facing web servers and proxies running HTTP/2 (NGINX, Apache, IIS, Envoy, Cloudflare Pingora). Monitor for sudden per-connection memory spikes and stalled HTTP/2 streams with zero-window flow control.
Affected
Default HTTP/2 configurations of NGINX, Apache, IIS, Envoy, and Cloudflare Pingora. A single 100 Mbps client can hold 32 GB of server RAM in ~20 seconds, bypassing header-size limits.
Fix
Apply vendor HTTP/2 patches and mitigations as released. Cap per-connection memory and concurrent streams, enforce flow-control timeouts, and rate-limit HTTP/2 connections. Consider disabling HTTP/2 on exposed servers until patched.

Apache web server has a critical flaw in HTTP/2 that crashes servers and could let attackers run code (CVE-2026-23918)

Apache patched a double-free vulnerability in mod_http2 yesterday. CVE-2026-23918 (CVSS 8.8) lets a remote attacker crash the server immediately, with a path to remote code execution under specific memory-layout conditions. The bug is in the stream cleanup code in h2_mplx.c and is triggered by a crafted sequence of HTTP/2 frames including an early stream reset. mod_http2 ships in default Apache builds and HTTP/2 is widely enabled in production. The MPM prefork worker is not affected. Researchers warn practical RCE requires an info leak and probabilistic heap spray, but in lab conditions execution lands in minutes.

Check
Identify Apache HTTP Server 2.4.66 installations. Run 'httpd -v' or 'apache2 -v' on each server, and check whether mod_http2 is enabled with 'apache2ctl -M | grep http2'.
Affected
Apache HTTP Server 2.4.66 with mod_http2 enabled (default in most builds). CVE-2026-23918, CVSS 8.8. The MPM prefork worker is not affected; MPM event and worker (default in modern installs) are vulnerable. No public proof-of-concept yet but exploitation is straightforward for DoS. Internet-facing Apache servers running HTTP/2 are at acute risk.
Fix
Upgrade to Apache HTTP Server 2.4.67. If immediate upgrade isn't possible, disable mod_http2 with 'a2dismod http2' - but this drops HTTP/2 support entirely. The 2.4.67 release also patches mod_rewrite (CVE-2026-24072), mod_proxy_ajp (CVE-2026-28780), mod_md, and mod_dav_lock - apply all fixes together.