preloader

· security devops infrastructure nginx apache vulnerability cloud

HTTP/2 Bomb: New DoS Exploit Threatens nginx, Apache, IIS, and Cloudflare Pingora

Source: The Hacker News

Security researchers disclosed a critical denial-of-service vulnerability on June 3, 2026, affecting every major HTTP/2-capable web server implementation. The exploit, named HTTP/2 Bomb and tracked as CVE-2026-49975, can crash a server in seconds from a single residential internet connection with no authentication required. The scope is unusually wide: nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora are all confirmed vulnerable.

How the attack works

HTTP/2 Bomb chains two separately well-understood techniques into a new and more destructive combination.

The first component is an HPACK compression bomb. HTTP/2 uses a header compression scheme called HPACK to reduce the size of HTTP headers sent over the wire. An attacker can craft a request where a single byte of compressed header data, when decompressed by the server, expands into thousands of bytes of memory allocation. The server is obligated by the HTTP/2 protocol to perform this decompression before it can evaluate whether the request is legitimate.

The second component is a Slowloris-style flow-control hold. Once the server has allocated the memory from the decompression, the attacker advertises a zero-byte receive window, signalling to the server that it should not send any data. The server holds the allocated memory and waits, expecting the window to open. It never does.

Combined, the technique turns a trickle of incoming traffic into a rapid accumulation of unrecoverable server memory. Researchers demonstrated exhaustion of 32 gigabytes of memory in approximately ten seconds on a vulnerable Envoy deployment.

Who is exposed

Shodan analysis identified over 880,000 potentially vulnerable servers publicly accessible on the internet. The inclusion of Cloudflare Pingora in the list deserves particular attention. Pingora is the internally developed HTTP proxy engine that fronts Cloudflare’s network, meaning its vulnerability affects not just Cloudflare’s own infrastructure but potentially the downstream protective posture it provides to the websites sitting behind Cloudflare’s DDoS protection.

For organisations using Cloudflare as a primary defence layer against volumetric attacks, the question of whether Pingora is patched before a campaign begins targeting CVE-2026-49975 is now a material risk variable.

What is patched and what is not

Patch availability is uneven across the affected software. Apache httpd addressed the vulnerability on May 27, fixing it by enforcing that cookie headers count against the LimitRequestFields limit. If you are running Apache, verify you are on a release that includes that fix and review your LimitRequestFields configuration.

nginx addressed the issue in version 1.29.8, which introduces the max_headers directive with a default limit of 1,000 headers per request. If you are running a version older than 1.29.8, you are exposed.

Microsoft IIS, Envoy, and Cloudflare Pingora had no patch available at the time of public disclosure. Microsoft has not published a timeline for an IIS fix. For these platforms, disabling HTTP/2 entirely is the recommended interim mitigation. For nginx, http2 off in the server block removes the attack surface until you can upgrade. For Apache, removing HTTP/2 from the Protocols directive to Protocols http/1.1 achieves the same.

The broader point for European infrastructure teams

This vulnerability sits at the layer that handles every web request before any application logic executes. Organisations running their own nginx or Apache reverse proxies – common in self-managed Kubernetes clusters, Hetzner and DigitalOcean deployments, and on-premises infrastructure – are exposed regardless of whether they use a CDN in front of the stack.

For teams running Cloudflare-protected infrastructure: Cloudflare’s edge may be the first point of contact for inbound requests, but if your origin servers run unpatched nginx or Apache, a request that bypasses or passes through Cloudflare still reaches vulnerable software. Origin protection and edge protection address different layers.

A server that can be crashed from a single laptop has no SLA, no uptime guarantee, and no disaster recovery plan that will help. Patch nginx, verify Apache, and disable HTTP/2 on IIS and Envoy until vendor patches arrive.

If you want help auditing your web server configuration, applying mitigations across a mixed-stack environment, or assessing where your HTTP/2 exposure sits across cloud and on-premises infrastructure, contact Excello Digital. We help European infrastructure teams move from vulnerability disclosure to verified remediation without waiting for an incident.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!