A newly disclosed remote denial-of-service exploit is tearing through the infrastructure that runs most of the modern web — and the way it was found may matter as much as the bug itself. Dubbed the HTTP/2 Bomb and tracked as CVE-2026-49975, the flaw lets a single attacker on an ordinary home internet connection exhaust tens of gigabytes of server memory in seconds. It affects the default HTTP/2 configuration of NGINX, Apache HTTPD, Microsoft IIS, Envoy and Cloudflare Pingora — and it was discovered not by a human researcher, but by OpenAI’s Codex.
Disclosed on June 3, 2026 by the team at Calif, the vulnerability has put roughly 880,000 public-facing websites at immediate risk, according to a Shodan sweep of internet-exposed servers running affected software with HTTP/2 enabled.
How a single byte becomes 32 gigabytes
The HTTP/2 Bomb is an amplification attack against HPACK, the header-compression scheme baked into HTTP/2. HPACK is designed to save bandwidth: a client can reference a previously seen header by a single index byte rather than re-sending the whole field. The Bomb weaponizes exactly that efficiency.
The attacker first seeds HPACK’s dynamic table with a single header, then emits thousands of one-byte indexed references in a single request. Each reference costs the attacker one byte on the wire, but forces the server to allocate a full header structure in memory — anywhere from roughly 70 bytes on NGINX, IIS and Pingora to as much as 4,000 bytes on Apache HTTPD and Envoy, per reference.
That alone is a classic compression bomb. The second half of the exploit is what makes it lethal: a Slowloris-style hold. By advertising a zero-byte flow-control window, the attacker prevents the server from ever finishing the request and freeing the allocated memory. The allocations simply pile up.
The result is brutal. According to Calif’s analysis, a single client can consume and hold 32GB of server memory against Apache HTTPD and Envoy in about 20 seconds, rendering the server unresponsive long before any traditional volumetric DDoS protection would notice the trickle of traffic.
Crucially, this is not a rehash of 2016’s HPACK Bomb (CVE-2016-6581). That older flaw relied on large header values and was killed off by decoded-size limits. The HTTP/2 Bomb achieves its amplification through per-entry bookkeeping overhead instead, sliding neatly underneath the size caps that vendors added nearly a decade ago.
The AI angle: Codex found what humans missed
The detail that has the security community talking is the discoverer. The HTTP/2 Bomb was surfaced by OpenAI’s Codex, which chained together two long-known techniques — the compression bomb and the Slowloris hold — into a novel exploit that had eluded human auditors of some of the most scrutinized server code on Earth.
That matters. NGINX, Apache and Envoy are among the most heavily reviewed open-source projects in existence, fuzzed and audited continuously for years. The fact that an AI system reasoned its way to a working memory-exhaustion primitive by combining primitives that defenders had each individually mitigated is a preview of how vulnerability research is changing. The building blocks were public; the synthesis was not.
Who is patched — and who is not
Vendor response has been uneven, and two major platforms remain exposed at the time of writing:
- NGINX — Patched. Upgrade to 1.29.8 or later, which introduces a
max_headersdirective defaulting to 1,000. If you cannot upgrade immediately, disable HTTP/2 withhttp2 off;. - Apache HTTPD — Patched. Fixed in mod_http2 v2.0.41. If you cannot upgrade, fall back to HTTP/1.1 with
Protocols http/1.1. - Cloudflare Pingora — No action required. Cloudflare’s built-in DDoS mitigations absorb the attack automatically.
- Microsoft IIS — No patch available as of publication.
- Envoy — No patch available as of publication.
For IIS and Envoy operators, the only meaningful mitigation right now is to disable HTTP/2 or place the service behind a proxy layer that can cap header counts and enforce request-completion timeouts.
Why this one is dangerous in practice
Most denial-of-service threats demand a botnet, reflection infrastructure or significant bandwidth. The HTTP/2 Bomb demands none of that. The asymmetry — one wire byte in, thousands of server-side allocations out — means an attacker on a 100Mbps home connection can knock a vulnerable server offline within seconds, and the traffic looks like a single, slow, well-formed request rather than a flood.
That low signature is the real problem. Volumetric DDoS defenses key on volume; this attack hides under the radar precisely because it is tiny on the wire. Defenders relying on bandwidth-based detection will not see it coming until the memory graph spikes.
With roughly 880,000 exposed sites and two major server platforms still unpatched, the practical advice is blunt: inventory your HTTP/2 surface today, patch NGINX and Apache immediately, and disable HTTP/2 on IIS and Envoy until fixes ship.
