HTTP/2 Bomb DoS Vulnerability Threatens Major Web Servers
Security researchers at Calif disclosed a significant denial-of-service technique dubbed the HTTP/2 Bomb, affecting major web servers and HTTP/2 implementations including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The attack combines two well-known concepts in a novel way: it abuses HTTP/2 header compression behavior (HPACK) while holding connections open in a Slowloris-style pattern, preventing the server from freeing memory.
The result is memory pressure that can crash or seriously degrade affected servers. HTTP/2 is widely deployed because it improves web performance through multiplexing and compression, but the same performance features create edge cases when attackers intentionally shape traffic abnormally. For businesses, this is not just a technical curiosity — a remote DoS issue can affect websites, APIs, SaaS dashboards, customer portals, and login systems.
The disclosure also coincides with Google's June 2026 Android security update patching 124 vulnerabilities, including CVE-2025-48595 — an Android Framework zero-click elevation-of-privilege flaw under limited targeted exploitation. Organizations should apply server patches as they become available, review WAF and CDN behavior under abnormal HTTP/2 traffic, and monitor for memory spikes and long-lived connections.
The HTTP/2 Bomb demonstrates that protocol-level vulnerabilities in foundational web infrastructure remain a serious threat. Combined with the actively exploited Android zero-day, this week underscores that the attack surface spans from servers to mobile endpoints.
Which servers are affected by the HTTP/2 Bomb?
NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora are all affected. Organizations running HTTP/2 on these servers should apply patches immediately.
What is CVE-2025-48595?
An Android Framework zero-click elevation-of-privilege vulnerability patched in Google's June 2026 security update, currently under limited targeted exploitation.