HTTP/2 Bomb Turns Header Limits Into Availability Risk

Calif published HTTP/2 Bomb on June 2, 2026, describing a remote denial-of-service technique against default HTTP/2 behavior in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. The attack chains two known ideas: HPACK indexed-reference amplification and a Slowloris-style flow-control stall that keeps allocated response memory from being released.

The response is not one universal patch. nginx added a max_headers directive in 1.29.8, Apache's standalone mod_http2 v2.0.41 includes the relevant fix path, and Envoy published GHSA-22m2-hvr2-xqc8 with patched versions 1.35.11, 1.36.7, 1.37.3, and 1.38.1. Teams operating HTTP/2 termination should inventory every edge and internal proxy, patch where possible, disable HTTP/2 where necessary, and enforce both decoded header-size and header-count limits.

Calif's June 2 report describes HTTP/2 Bomb as a remote denial-of-service exploit against major web servers running default HTTP/2 configurations. The researchers report tested impact across nginx 1.29.7, Apache httpd 2.4.67, Envoy 1.37.2, Microsoft IIS on Windows Server 2025, and Cloudflare Pingora 0.8.0. The published companion repository includes per-server writeups, Docker labs, and proof-of-concept scripts, with a clear warning not to run them against infrastructure the reader does not own.

The reported results are availability-focused. Calif says a home computer on a 100 Mbps connection could make a vulnerable server inaccessible within seconds, and that Apache httpd and Envoy could be pushed toward 32 GB of held server memory in roughly 18 and 10 seconds respectively in their demonstrations. Those numbers should not be applied blindly to every production deployment, because CDNs, reverse proxies, resource limits, and custom configuration change exposure. They are still strong evidence that default HTTP/2 termination deserves urgent review.

The first half of the chain is HPACK amplification. HTTP/2 uses HPACK header compression so repeated headers can be represented compactly. In the abuse pattern Calif describes, a client seeds the dynamic table and then sends many small indexed references. The encoded bytes on the wire stay small, but the server materializes many header entries and allocates more memory than the attacker spends.

The second half is a flow-control stall. HTTP/2 lets the receiver advertise a flow-control window. By keeping the window at or near zero and slowly refreshing it, the client can prevent the server from completing and freeing response-related memory. Either technique has a history. The new operational problem is composition: small encoded header work creates memory, and stalled streams keep that memory alive long enough to starve the server.

Calif says nginx received the issue in April and responded by importing a max_headers directive, shipped in nginx 1.29.8. The nginx change log lists version 1.29.8 on April 7, 2026 with the max_headers feature. Teams running nginx should verify the actual build exposed to HTTP/2 traffic and whether vendor-packaged branches have backported equivalent behavior.

For Apache httpd, Calif says disclosure happened on May 27 and that the fix made cookie headers count against LimitRequestFields, with the Apache-side issue assigned CVE-2026-49975. The standalone mod_http2 v2.0.41 release is the relevant upstream component path named by the researchers. Envoy published a separate GitHub Security Advisory, GHSA-22m2-hvr2-xqc8, for HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification, with patched versions listed for supported release lines.

Many HTTP servers already limit total decoded header size, but HTTP/2 Bomb shows why that is not always enough. Calif's writeup says the variant used nearly empty or fragmented headers in ways that avoided decoded-size limits, while the implementation still allocated per-entry bookkeeping or rebuilt cookie material. In other words, byte limits did not always capture the number of header fields, the cost of merging cookies, or the lifetime of a stalled stream.

The defensive lesson is precise: maximum decoded header size and maximum header count are separate constraints. Servers and proxies should also count cookie crumbs consistently, bound stream lifetimes under flow-control stalls, and apply memory ceilings so a single worker is killed and restarted before the whole host is dragged into swap. For high-volume services, this is an engineering control, not a WAF signature alone.

Inventory every place HTTP/2 is terminated, not only the public CDN. That includes internet-facing reverse proxies, origin servers, Kubernetes ingress controllers, service meshes, API gateways, internal Envoy sidecars, load balancers, appliance proxies, developer preview stacks, and managed hosting layers. A service may be safe at the public edge but still vulnerable on an internal hop reachable from a compromised workload or partner network.

For each terminator, record product, version, package source, enabled protocols, upstream/downstream HTTP version behavior, header count limits, decoded header-size limits, cookie handling, stream and connection timeouts, memory cgroup limits, and whether the component sits behind another proxy that normalizes or caps headers. Without that map, teams can patch the visible web server and miss the component actually terminating HTTP/2.

Patch first where fixes exist. Upgrade nginx to a fixed line with max_headers behavior, apply Apache mod_http2 fixes where applicable, and move Envoy to the patched versions named in its advisory. Where a product has no available fix or a vendor package has not yet backported one, disable HTTP/2 for exposed endpoints if the business can tolerate it, or place the service behind a terminating proxy that enforces strict decoded header and header-count limits before traffic reaches the vulnerable component.

Then add detection and failure controls. Watch for rapid memory growth in web server and proxy processes, OOM kills, container exit status 137, a surge in HTTP/2 streams with repeated indexed cookie references, unusual flow-control behavior, and rising latency without matching bandwidth volume. Resource limits should fail a worker or pod early. A clean restart under pressure is better than letting one low-bandwidth client degrade every request on the host.

Calif says the exploit chain was discovered by Codex, which combined two old public ideas after reading code and behavior across implementations. That does not mean AI magically invented a new protocol class. It means the time between public bug history, public diffs, implementation quirks, and working exploit chains is shrinking.

For defenders, that changes patch urgency around quiet-looking changes. A commit that adds a header-count limit or changes cookie accounting may be enough information for automated systems to search nearby codebases for similar failure modes. Protocol implementers and operators should assume that public fixes now become test cases quickly, even when the original advisory is understated.