HTTP/2 Bomb: One Connection Crashes Web Servers. nginx Is Patched, Apache Is Not.

Until today, taking down a web server required resources: a botnet, thousands of compromised machines, and coordinated high-volume traffic. A vulnerability disclosed today changes that equation. The HTTP/2 Bomb, published June 3, 2026 by security researcher Quang Luong, lets a single attacker exhaust the memory of nginx, Apache, and IIS servers from one connection until they crash or stop responding. No botnet. No high bandwidth. No authentication required.

For hosting providers, the business implication is direct: one malicious customer, or one external attacker, can take down a shared server and every site running on it. nginx has a patch available today through standard update channels. Apache’s fix exists in a standalone module but has not yet been bundled into any release that distribution package managers like apt or yum will pick up. Microsoft IIS has no patch. The vulnerability was found with help from OpenAI Codex, an AI coding agent, which points to a broader trend beyond this single incident: AI tools are now accelerating the discovery of flaws in the software running modern web infrastructure.

Key facts

• Disclosed: June 3, 2026 by Quang Luong (Calif)
• Attack: Single HTTP/2 connection, no botnet, no authentication
• Affected: nginx, Apache httpd, Microsoft IIS, Envoy
• nginx: patched via standard package update today
• Apache: fix in standalone mod_http2 module, not yet in distribution packages
• IIS: no patch available
• Discovery tool: OpenAI Codex (AI coding agent)

How the Attack Works

HTTP/2 is the protocol behind most modern websites since around 2015. It was designed to make the web faster by letting many requests share a single connection and by compressing the information about those requests to save bandwidth. The HTTP/2 Bomb exploits the exact features that make it efficient.

The attack combines two techniques that have been known to security researchers individually since 2016 but were not previously recognized as forming a more severe attack when used together. The first technique uses HTTP/2’s header compression: by sending tiny 1-byte references to a pre-seeded header, an attacker forces the server to allocate a full header object in memory for each one. The measured ratio of server memory consumed per network byte sent reaches 70:1 on nginx and 5,700:1 on Envoy. The second technique uses HTTP/2’s flow-control mechanism to freeze the connection so the server cannot complete or close it, ensuring the allocated memory is held until the process is killed or the machine runs out of RAM.

Which Servers Are Affected and What to Do Today

The vulnerability affects every HTTP/2 server tested. The amplification ratio and the patching path differ by platform:

• nginx: ~70:1 amplification. Patched today through the official nginx package repository. Hosting providers running nginx as a front-end server should apply this update as a priority. In shared hosting, where a single nginx instance fronts many customers, this is a multi-tenant risk: a single malicious tenant can take down everyone on the same server.
• Apache httpd: ~4,000:1 amplification. The fix (CVE-2026-49975) exists in the standalone mod_http2 module but has not been bundled into any released Apache httpd version. This is the largest patch gap at time of publication. A standard apt upgrade apache2 or yum update httpd will not deliver it. Applying the fix requires manually installing the updated mod_http2 module from Apache’s module releases. Until a bundled httpd release ships the fix, Apache deployments should be treated as effectively unpatched. Enforcing stricter HTTP/2 concurrency limits at a load balancer or reverse proxy in front of Apache is a partial mitigation.
• Microsoft IIS: ~68:1 amplification. No patch from Microsoft at time of publication. No CVE has been assigned to the IIS variant. Rate limiting at the connection level and monitoring for connections with sustained zero-window flow-control are the available partial mitigations. Given that working proof-of-concept code is already public on the researcher’s GitHub, the window before active exploitation attempts is likely short.
• Envoy (used mainly in microservices and Kubernetes environments): highest measured amplification of the tested implementations. No patch available.

A prior, separately discovered Apache flaw with similar characteristics (CVE-2025-53020, fixed in Apache 2.4.64 in July 2025) shows that the underlying issue, HTTP/2’s header compression as a vector for memory pressure, has been patched before. The HTTP/2 Bomb is a new and more effective composition of the same surface.

OpenAI Codex Found It. What That Actually Means.

The discovery process is the part with implications beyond today’s patch cycle. Luong directed OpenAI Codex, an AI coding agent, to read the source code of nginx, Apache, Envoy, and IIS, then asked it to determine whether two specific techniques already known to the security community could be combined into a single attack. Codex confirmed they could, identified the relevant code paths in each implementation, and generated proof-of-concept exploit code that Luong verified.

Codex did not derive a new vulnerability class from first principles. Both techniques it combined have been documented for about ten years. What Codex contributed was the ability to read multiple large codebases in parallel, cross-reference a known technique against four separate implementations, and produce working exploit code quickly. The researcher provided the hypothesis. The AI accelerated verification and weaponization.

The distinction matters because it describes a workflow now available to a much broader range of actors than was true five years ago. A researcher who suspects a class of vulnerability might exist, and who has access to an AI coding agent, can scan a large software system for instances of that vulnerability significantly faster than a human reading code manually. Luong is scheduled to present the methodology at the Real World AI Security conference at Stanford. Three months earlier, the same research group, Calif, published a separate finding (CVE-2026-27654, a high-severity heap overflow in nginx’s WebDAV module, rated CVSS 8.2) discovered using Anthropic’s Claude. A small team producing serious vulnerability disclosures in rapid succession by using AI to systematically audit server software is not an isolated experiment.

HTTP/2’s Recurring Problem

HTTP/2’s complexity has made it a recurring source of protocol-layer vulnerabilities, each exploiting a different feature rather than a bug in any one vendor’s code. The HTTP/2 Bomb is the latest iteration of a structural problem.

In 2016, the original HPACK Bomb (CVE-2016-6581) showed that HTTP/2’s header compression could expand 16 kilobytes of compressed data into 64 megabytes at the server, a 4,096:1 ratio. In 2023, HTTP/2 Rapid Reset (CVE-2023-44487) was used in the wild before disclosure and produced what was at the time the largest DDoS attack ever recorded, peaking at 398 million requests per second against Cloudflare, with a botnet of roughly 20,000 machines. In April 2024, the HTTP/2 CONTINUATION Flood demonstrated that a single machine with one TCP connection could crash an HTTP/2 server with no entries in the server’s access logs, because incomplete requests without a terminating header flag do not produce a log line. Apache, Golang, Node.js, and others received CVE assignments.

The HTTP/2 Bomb follows the same pattern as the CONTINUATION Flood: low resource requirement for the attacker, no distinctive access log signature during the attack, and broad impact across multiple server implementations at once. The absence of botnet requirements means hosting providers cannot rely on volumetric thresholds or IP reputation systems to filter this traffic. A single subscriber IP sending well-formed but malicious HTTP/2 traffic looks identical to a legitimate connection until the server’s memory is exhausted.