Offensive-security firm Calif, with discovery work performed by OpenAI's Codex software agent, has disclosed HTTP/2 Bomb, a denial-of-service attack that crashes web servers from a single machine in seconds. It works against default HTTP/2 configurations of NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora. The technique combines HPACK header-compression amplification (one attacker byte triggering thousands of bytes of server allocation, up to 5,700:1 on Envoy) with Slowloris-style flow-control stalling via zero-byte windows that prevents the memory from ever being freed. A home computer on a 100 Mbps link can force Apache or Envoy to hold 32 GB of RAM in roughly 20 seconds, bypassing existing header-size defenses.
Apache patched a double-free vulnerability in mod_http2 yesterday. CVE-2026-23918 (CVSS 8.8) lets a remote attacker crash the server immediately, with a path to remote code execution under specific memory-layout conditions. The bug is in the stream cleanup code in h2_mplx.c and is triggered by a crafted sequence of HTTP/2 frames including an early stream reset. mod_http2 ships in default Apache builds and HTTP/2 is widely enabled in production. The MPM prefork worker is not affected. Researchers warn practical RCE requires an info leak and probabilistic heap spray, but in lab conditions execution lands in minutes.