“HTTP/2 Bomb” DoS attack can crash web servers within seconds

A new denial-of-service (DoS) attack called “HTTP/2 Bomb” has been identified against web servers that use the HTTP/2 protocol. The attack can be launched from a single machine and may render some servers running default configurations inaccessible within seconds.

According to available information, the attack can affect default HTTP/2 configurations of widely used web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy and Cloudflare Pingora. “HTTP/2 Bomb” combines two previously known DoS techniques: artificially increasing memory usage over HTTP/2 and retaining server resources for an extended period by abusing the flow-control mechanism.

During the attack, the threat actor sends small requests that cause the server to allocate a large amount of memory. In some cases, a very small amount of data sent by the attacker can result in thousands of times more memory usage on the server side. This may lead to the rapid exhaustion of server resources.

In the next stage of the attack, the allocated memory is prevented from being reused by the server. This is achieved by abusing HTTP/2 flow-control capabilities and preventing the server from completing its response. As a result, the requests remain open and the overall functionality of the server is disrupted.

In testing, Envoy version 1.37.2 exhausted 32 GB of RAM in approximately 10 seconds, Apache httpd 2.4.67 exhausted 32 GB of RAM in about 18 seconds, nginx 1.29.7 exhausted 32 GB of RAM in about 45 seconds and IIS exhausted 64 GB of RAM in approximately 45 seconds.

The main risk of the attack is its ability to bypass some existing defense mechanisms. Since the request elements used in the attack are very small, general size limits are not triggered. Instead, the increase in resource usage occurs through the server’s internal processing and memory allocation mechanisms.

The issue has already been addressed on some platforms. NGINX version 1.29.8 introduced a new “max_headers” directive, while Apache httpd mod_http2 2.0.41 fixed the issue under the identifier CVE-2026-49975. At the time of writing, no corresponding update is available for IIS, Envoy or Pingora.