Skip to content

HTTP/2 Denial-of-Service: Client-Based Memory Attack on Web Servers

Bottom line: Attackers can disable web servers through memory allocation using a single HTTP/2 client, requiring minimal resources or botnet infrastructure.

A security vulnerability in HTTP/2 implementations allows exhausting the memory of web servers such as Nginx, Apache HTTPD, and Microsoft IIS with minimal effort, bringing them to denial-of-service within seconds.

The vulnerability affects widely deployed web server platforms: Nginx, Apache HTTPD, and Microsoft IIS are vulnerable to an HTTP/2-based denial-of-service attack. A single client is sufficient to exhaustively trigger memory resources and bring the service down in a short time.

For a CISO, this vector is particularly critical because the attack is executable with minimal technical hurdles. Unlike classical DDoS attacks, this method requires neither distributed infrastructure nor high bandwidth capacity on the attacker’s side. This lowers the barrier to entry and increases the risk of spontaneous or opportunistic attacks on exposed web infrastructure.

Affected organizations should prioritize reviewing the HTTP/2 implementations of their web servers and deploy available security patches. Additionally, monitoring and alerting mechanisms should be reviewed to detect anomalous memory allocation in real time. At the perimeter level, rate limiting and connection limits on HTTP/2 can serve as an interim step for risk reduction until patches are available.


Source: www.golem.de · Published June 4, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.

Share on: