On June 3, 2026, security researchers at Calif publicly disclosed details of a novel denial-of-service technique named “HTTP/2 Bomb,” a threat that can exhaust server memory and crash default HTTP/2 deployments across some of the world’s most widely used web servers. The attack, reportedly discovered with the assistance of OpenAI Codex, targets the way HTTP/2 handles multiplexed streams, enabling a single connection to force uncontrolled memory allocation. Windows Server administrators running Internet Information Services (IIS) are among those urgently reviewing their defenses, as the vulnerability affects nginx, Apache httpd, Envoy, and other major HTTP/2 implementations right out of the box.

The initial report from the Calif research team—believed to be from the California-based security collective known for its work on protocol-level flaws—warns that the attack requires minimal bandwidth and can be executed in seconds. Unlike volumetric DDoS floods, HTTP/2 Bomb leverages the protocol’s built-in efficiency mechanisms against it, making it a devastating tool for taking down secure web infrastructure. This breakdown explores the inner workings of the attack, its impact on Windows environments, and what IT teams can do while the industry scrambles for patches.

How HTTP/2 Bomb Works

At its core, HTTP/2 Bomb is a resource-exhaustion attack that manipulates the HTTP/2 stream prioritization and flow control systems. HTTP/2 allows multiple requests and responses to be multiplexed over a single TCP connection, each tagged with a stream identifier. To manage bandwidth fairness, the protocol uses a flow-control window—advertised by the receiver—that limits how much data the sender can transmit. The attack crafts a sequence of stream frames that repeatedly reset and reopen streams while exploiting the way servers allocate memory for stream state and flow-control buffering.

Researchers found that by sending specially crafted SETTINGS frames and stream data, an attacker can trigger the server to reserve increasingly large memory buffers without ever releasing them. The technique bypasses normal flow-control limits by using a mix of HEADERS and WINDOW_UPDATE frames that appear legitimate but confuse the server’s internal accounting. The result is a steady leak of memory that, within minutes, can exhaust all available RAM and force the server process to be killed by the operating system or crash with an out-of-memory error.

What makes HTTP/2 Bomb particularly alarming is its discovery with the help of OpenAI Codex. The researchers indicated that the AI model assisted in rapidly exploring unusual frame combinations and identifying edge cases in the HTTP/2 specification that human audits had missed. This AI-assisted approach allowed the team to uncover a vulnerability that has likely existed since HTTP/2’s standardization in 2015, hiding in plain sight across every implementation that strictly follows the RFC.

Affected Web Servers and Windows IIS Impact

According to the disclosure, the attack affects default configurations of:

  • nginx (all stable releases with HTTP/2 enabled)
  • Apache httpd (mod_http2 module)
  • Envoy proxy (commonly used in service meshes)
  • Microsoft IIS (with HTTP/2 support enabled, default on Windows Server 2016 and later)
  • Other servers that implement HTTP/2 stream multiplexing without rate-limiting or strict memory accounting for aborted streams.

For Windows Server environments, the impact is immediate. IIS enables HTTP/2 by default on Windows Server 2016, 2019, 2022, and the upcoming Windows Server 2025. That means millions of public-facing websites, APIs, and internal applications running on .NET or ASP.NET Core are potentially exposed. In testing by the researchers, a single TLS handshake followed by a burst of malicious frames was enough to bring an IIS worker process (w3wp.exe) to its memory limit, causing the application pool to terminate and triggering downtime that can range from a few seconds to several minutes depending on automatic recovery settings.

What’s worse, because the attack uses valid TLS-encrypted HTTP/2 traffic, it can slip past traditional intrusion detection systems and web application firewalls that simply look for malformed packets. This means many organizations may not have the visibility to detect an ongoing attack until their monitoring systems flag high memory usage or server crashes.

The Hidden Danger in HTTP/2 Design

The vulnerability is rooted in two aspects of HTTP/2’s design: the complexity of stream priority and the assumption that endpoints will cooperatively respect flow control. Since RFC 7540 (and the newer RFC 9113) does not mandate aggressive limits on concurrent streams or memory allocation per stream, servers have historically adopted generous limits. For instance, nginx, by default, allows up to 128 concurrent streams with a large connection-level flow-control window. An attacker can open streams at the maximum allowed, send just enough data to trigger window updates, then cancel them—forcing the server to allocate bookkeeping structures that are never properly freed because of a bug in how reset streams and pending frames are handled.

The AI-assisted search reportedly focused on sequences that cause a desynchronization between the connection-level flow-control window and the sum of stream-level windows. In a correct implementation, when a stream is reset, any cached data for that stream should be discarded and the window should be reclaimed. However, in affected servers, the interplay between RST_STREAM frames and pending WINDOW_UPDATE frames causes the server to continue allocating buffer space for data that will never arrive, leading to what the researchers call a “hung stream memory leak.” The leak is amplified by rapidly creating and resetting thousands of streams within a single connection.

Community Reaction and Early Mitigations

The disclosure has sparked urgent conversations in Windows system administrator forums. Many users immediately began sharing tactics to harden IIS against the attack even before an official Microsoft patch lands. One popular workaround involves adjusting the maxConcurrentStreams limit in IIS’s HTTP/2 settings via the registry, though this is not exposed in the standard IIS Manager UI. Administrators have also proposed using the IIS Advanced Logging module to set alerts on high rates of stream resets per connection.

In the absence of a vendor patch, the security community recommends:

  • Disabling HTTP/2 entirely if not strictly needed (though this may break performance-sensitive applications)
  • Deploying a reverse proxy or load balancer that has already been hardened against stream-based attacks
  • Using connection limits and timeouts aggressively at the network edge
  • Monitoring memory usage of web server processes and setting automated restarts for processes that exceed thresholds

Envoy and nginx maintainers have already published configuration workarounds. For nginx, a simple directive http2_max_concurrent_streams 10; significantly reduces the attack surface, while Apache users can set H2MaxSessionStreams 10. For IIS, no such setting is directly available in the GUI, but it can be toggled via the Http2MaxConcurrentStreams DWORD under HKLM\System\CurrentControlSet\Services\HTTP\Parameters; a reboot is required after the change.

Microsoft’s Response and Anticipated Patch

As of press time, Microsoft has not released an official security update addressing HTTP/2 Bomb. However, the Microsoft Security Response Center is actively investigating, according to sources familiar with the matter. With past HTTP/2 vulnerabilities—like the HTTP/2 Rapid Reset attack tracked as CVE-2023-44487—Microsoft provided patches out-of-band within days of disclosure. IT professionals expect a similar swift response, potentially through a Windows Update with a specific KB number once testing is complete.

Given the AI-assisted nature of the discovery, this incident may motivate Microsoft to invest further in AI-driven security analysis of its own protocols. The company has already integrated AI models into its security development lifecycle, but this event underscores the need for external, automated fuzzing of long-lived specifications.

Broader Implications for Web Security

The HTTP/2 Bomb attack is a wake-up call for the entire internet infrastructure. HTTP/2 has been a cornerstone of web performance for nearly a decade, and its robust deployment meant that vulnerabilities were often assumed to be well-understood by now. This finding proves otherwise. It also highlights the double-edged sword of AI in cybersecurity: while it can accelerate defensive research, it equally empowers attackers to discover new exploits more efficiently.

Organizations that rely on Windows Server for hosting should treat this threat as serious. Even if your organization isn’t a high-profile target, automated scanners are already likely incorporating this technique, making unpatched servers an easy mark. The attack’s low bandwidth requirement means it can be launched from a single compromised IoT device, making it far more scalable than traditional DDoS.

Recommendations for Windows Administrators

  1. Disable HTTP/2 if not required: For legacy applications that only serve HTTP/1.1, disabling HTTP/2 eliminates the vector. This can be done in IIS by clearing the “Enable HTTP/2” checkbox in the site bindings or via registry.
  2. Apply configuration limits: As a temporary hardening measure, set Http2MaxConcurrentStreams to a low value such as 10. Test thoroughly, as this may affect page load times for sites with many parallel requests.
  3. Prepare for out-of-band patching: Keep test environments ready to validate patches as soon as they are released. Previous emergency patches for HTTP/2 issues required minimal testing and were stable, but dependency on .NET framework updates can complicate deployment.
  4. Enhance monitoring: Instrument your servers to alert when the number of HTTP/2 resets (RST_STREAM frames) per minute spikes, or when a single connection has an abnormally high stream count.
  5. Use a WAF with protocol-level inspection: Some advanced web application firewalls can detect and block connections that exhibit stream churn patterns, providing a layer of defense even before server-level fixes are in place.

Looking Ahead

The discovery of HTTP/2 Bomb, facilitated by AI, marks a new chapter in vulnerability research. It’s a stark reminder that even mature, standard protocols harbor hidden risks. For Windows-focused organizations, the immediate priority is damage control: harden IIS deployments, monitor closely, and be ready to deploy a patch at a moment’s notice. In the longer term, this incident will likely accelerate efforts to revise HTTP/2 and its successor, HTTP/3, to include more stringent memory management requirements and better defenses against resource exhaustion.

As the story develops, windowsnews.ai will continue to track Microsoft’s response and any official CVE assignment. For now, the message is clear: HTTP/2 Bomb is not theoretical—it’s a weaponized reality, and every server owner should act accordingly.