AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

infonews

security

Source: The Hacker NewsJune 3, 2026

Summary

A new vulnerability called HTTP/2 Bomb affects major web servers like NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare by combining two attack techniques: a compression bomb (exploiting HPACK, HTTP/2's header compression scheme) and a Slowloris-style hold (a denial-of-service attack that keeps many connections open). A single attacker on a home internet connection can exhaust a vulnerable server's memory and make it inaccessible within seconds.

Solution / Mitigation

NGINX: Upgrade to version 1.29.8 or later, which adds the max_headers directive with a default of 1000. Alternatively, disable HTTP/2 with http2 off;. Apache HTTPD: Upgrade mod_http2 to version 2.0.41 or later. Alternatively, set Protocols http/1.1 to disable HTTP/2. Microsoft IIS, Envoy, and Cloudflare Pingora: No patch available as of the article's writing date.

Classification

Attack SophisticationModerate

Monthly digest — independent AI security research

Original source: https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html

First tracked: June 3, 2026 at 08:00 AM

Classified by LLM (prompt v3) · confidence: 95%