The vulnerability known as “http/2 Bomb” has been discovered, affecting several implementations of the HTTP/2 protocol. This vulnerability allows for a denial of service attack by exhausting all memory available to the process. It has been confirmed in HTTP servers such as nginx, Apache httpd (CVE-2026-49975), Microsoft IIS, Envoy (CVE-2026-47774), and Cloudflare Pingora in their default configurations.
The vulnerability exploits the header compression functionality in HTTP/2, using a technique similar to a zip bomb. By sending thousands of compressed headers like “Cookies” without attached data, each represented by a one-byte reference in the HPACK index, the server is forced to allocate full memory for each header. The level of memory consumption varies in different HTTP servers, ranging from about 70 bytes per byte in the index for nginx, IIS, and Pingora, to 4000 bytes in Apache httpd and 5700 bytes in Envoy.
An attack from a consumer computer with a 100Mbps communication link can exhaust 32 GB of memory in approximately 10 seconds on a server with Envoy 1.37.2, 18 seconds on Apache httpd 2.4.67, and 45 seconds on nginx 1.29.7.
To address the vulnerability, the freenginx project has released nginx 1.29.8, which moves the max_headers directive to limit the processing of headers to 1000. In Envoy 1.36.7, fixes have been implemented to set limits on mutable_max_request_headers_kb and max_headers_count. Apache httpd’s fix is proposed in module mod_http2 2.0.41, although it has not yet been included in Apache httpd releases