Skip to content

HTTP/2 Bomb: Memory Leak Enables DoS on Nginx, Apache, and IIS

In a nutshell: A memory leak in HTTP/2 implementations enables DoS attacks on Nginx, Apache HTTPD, and Microsoft IIS with just a 100-Mbps connection and standard hardware.

Security researchers have discovered a vulnerability in widely deployed web servers that allows a single attacker with minimal bandwidth to crash servers using specially crafted HTTP/2 requests.

Researchers from the University of California have identified a vulnerability in the HTTP/2 implementations of Nginx, Apache HTTPD, and Microsoft IIS, which they have named HTTP/2 Bomb. The vulnerability allows specially crafted HTTP/2 requests to cause memory overflows and trigger a denial-of-service condition.

What is remarkable about this vulnerability is the low barrier to a successful attack: a single attacker needs only a laptop and a standard internet connection with 100 Mbps bandwidth to bring a vulnerable web server to its knees. This makes the vulnerability a practically relevant threat to exposed infrastructure.

For CISOs, this means immediate action is required: affected systems should be checked for available security patches. At the same time, mitigation measures such as limiting concurrent HTTP/2 connections or implementing rate limiting at the HTTP/2 stream level can be deployed in the short term.


Source: borncity.com · Published 5 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.6.5.

Share on: