A new denial-of-service technique can crash web servers by exhausting their memory, security researchers from California revealed in early June 2026. Dubbed HTTP/2 Bomb, the attack exploits fundamental design choices in the HTTP/2 protocol—specifically HPACK header compression and stream flow control—to force nginx, Apache HTTP Server, and Microsoft IIS into an out-of-memory state, even with default settings. No flood of traffic is required; a single connection can bring a server to its knees.

The researchers, who published a detailed paper and proof-of-concept code, warn that all three major server implementations are vulnerable out of the box. While HTTP/2 has seen its share of flaws—Rapid Reset in 2023, for example—this one targets the core mechanisms that make the protocol efficient. Admins who haven’t tuned their HTTP/2 settings are especially at risk.

How HTTP/2 Bomb Works

HTTP/2 uses binary framing to multiplex multiple streams over a single TCP connection. Each stream carries request/response headers and data. Two features make it fast but also dangerous: HPACK compression and flow control.

HPACK Header Compression

HPACK reduces header overhead by maintaining a dynamic table on both client and server. Headers sent by the client can reference entries in this table, or add new entries that expand the table up to a negotiated maximum size (default 4 KB in most servers). The attack manipulates this mechanism by sending a series of headers that create thousands of large, never-repeated entries. These entries are stored in the server’s per-connection dynamic table, consuming memory that is never released as long as the connection stays open.

Even with a table size limit, an attacker can fill the limit and keep it pinned. More importantly, headers that reference entries cause the server to decode and store the full headers in memory for each stream. The attacker opens many streams, each referencing different giant entries, multiplying memory usage.

Stream Flow Control Abuse

Flow control in HTTP/2 is per-stream and per-connection, using WINDOW_UPDATE frames. Servers buffer data until there is window space. An attacker opens hundreds of streams, sets extremely small flow control windows, and then sends minimal data on each stream while requesting large responses. The server allocates read buffers for each stream and cannot free them until the window opens or the stream closes. By keeping streams alive with PING or HEADERS frames, the attacker locks the memory indefinitely.

Combining both vectors creates a cascade: the dynamic table bloats, and stuck streams hold response buffers. On a default nginx installation with 128 concurrent streams per connection, an attacker can consume several hundred megabytes of RAM from a single TCP handshake. Apache and IIS show similar behavior, though the exact memory footprint varies.

The attack requires only a standard TLS handshake and HTTP/2 connection preface. No special headers or malformed frames are needed; the malicious payload is semantically valid HTTP/2, making detection via traditional signature-based intrusion systems almost impossible.

Affected Servers and Default Configurations

The California research team tested their exploits against the latest stable releases of each server as of May 2026.

  • nginx: Default settings allow 128 concurrent streams and a 4 KB HPACK table. The attack consistently exhausted the worker process memory within seconds, causing an OOM kill or severe performance degradation. nginx’s event-driven architecture did not isolate the impact; a single malicious connection could starve all other connections handled by the same worker.
  • Apache HTTP Server (httpd): With mod_http2 and default MPM settings, the server allocates memory per connection and per stream. The HPACK table is per-connection, and stream buffers are substantial due to Apache’s process‑based handling. The researchers observed memory exhaustion within 10 seconds on a standard virtual private server.
  • Microsoft IIS: IIS uses the HTTP.sys kernel‑mode driver for HTTP/2. While kernel‑mode memory is more constrained, the attack still succeeded by opening streams with tiny flow control windows that pinned non‑paged pool memory. IIS administrators may notice the server becoming unresponsive before it crashes. The researchers noted that IIS’s default stream limit is 100, which is still sufficient for the attack.

All tests were performed with servers at their default, out-of-the-box settings. Custom hardening that limits streams, tightens table sizes, or sets aggressive timeouts reduces the risk but may not eliminate it completely, as the underlying mechanisms are part of the protocol specification.

Mitigation and Temporary Fixes

Because the vulnerability is architectural rather than a simple software bug, complete fixes will likely require changes to default configurations and, in some cases, code updates from server vendors. The researchers have coordinated disclosure with the maintainers of nginx, Apache, and Microsoft. Patches and advisories are expected by mid‑July 2026.

In the interim, administrators can take several steps:

  1. Reduce the maximum concurrent streams per connection. For nginx, setting http2_max_concurrent_streams to 8 or 16 (from the default 128) drastically limits the number of streams an attacker can open. Apache users can set H2MaxSessionStreams to a similarly low value. IIS administrators can adjust the MaxConcurrentStreams registry key under Http2.

  2. Limit the HPACK dynamic table size on the server side. nginx allows setting http2_max_field_size and http2_recv_header_timeout, but no direct table size knob; the server advertises its own limit based on buffers, so tuning large_client_header_buffers may indirectly help. Apache’s H2MaxHeaderTableSize directive can be set as low as 256 bytes, though this impacts performance. IIS does not expose a public setting, making it the hardest to mitigate at the configuration level.

  3. Enable strict request and connection timeouts. Aggressive timeouts for header reading and for idle connections force the attacker to work faster and give the server a chance to reclaim memory. For example, nginx’s client_header_timeout and keepalive_timeout, Apache’s Timeout and KeepAliveTimeout, and IIS’s connectionTimeout.

  4. Deploy rate limiting and connection restrictions upstream. A reverse proxy or load balancer that limits connections per IP or enforces HTTP/2 stream concurrency at the edge can shield vulnerable backend servers. The attack requires a full HTTP/2 connection, so blocking HTTP/1.1 to HTTP/2 upgrades can also reduce exposure if legacy clients are not a concern.

  5. Monitor memory pressure and set OOM thresholds so that a single worker or process dying does not take down the whole server. Tools like cgroup memory limits for nginx workers can contain the damage.

These workarounds are not perfect. Lowering stream limits can throttle legitimate users who rely on connection coalescing, and shrinking the HPACK table slows compression. Administrators must weigh the security benefits against performance costs until official patches arrive.

Why HTTP/2 Bomb Sidesteps Existing Defenses

The attack’s elegance lies in its misuse of standard protocol features. Unlike previous HTTP/2 floods, it doesn’t require high volumes of traffic. The Rapid Reset attack abused stream cancellation (RST_STREAM frames) to cause excessive server work, but HTTP/2 Bomb is quiet: it simply holds resources long enough to exhaust memory. This means traditional DDoS protection, which focuses on packet rate or SYN floods, won’t trigger. A single TCP connection that sends valid HTTP/2 with no malformed frames can pass through WAFs and IDS/IPS systems without raising alarms.

Moreover, the attack targets server‑side state that is invisible to most monitoring tools. HPACK table size and stream buffer allocations are internal; only by tracking memory usage per connection can operators spot the anomaly. The researchers provided a Snort rule and a Python detection script that looks for connections with a high number of streams and a large accumulated header size, but these are after‑the‑fact indicators.

Broader Implications for HTTP/2 and Web Infrastructure

The HTTP/2 Bomb attack resurfaces a long‑standing debate: does the complexity of HTTP/2’s multiplexing and compression outweigh its performance gains, especially for public‑facing services? HPACK was designed to reduce bandwidth, but its stateful nature creates an asymmetry where a small client investment forces a large server burden. Flow control, meant to prevent overwhelming slow consumers, can be weaponized by fast talkers who simply refuse to consume.

CDNs and cloud providers that terminate HTTP/2 at the edge are in a better position to filter such attacks, but many organizations still run nginx or Apache directly on internet‑facing hosts. The researchers note that the attack may also affect HTTP/2 implementations in other software—Envoy proxy, Node.js, Go’s net/http—but their testing focused on the big three.

The timing coincides with the gradual rollout of HTTP/3, which uses QUIC and a different header compression scheme (QPACK). QPACK also has a dynamic table, but flow control is handled at the transport layer differently. Whether similar attacks translate to HTTP/3 remains an open question, but the core lesson stands: protocol state is a liability when untrusted clients can create it without bound.

What’s Next

Microsoft, the Apache Software Foundation, and the nginx team (now part of F5) are working on coordinated disclosures and patches. Early indications from the researchers’ private communications suggest that nginx will introduce a hard limit on the HPACK table size per connection and add stream‑level memory accounting. Apache is evaluating a similar approach along with improved connection‑level monitoring. IIS may see a registry‑controlled limit in an upcoming Windows Update.

In the meantime, the proof‑of‑concept code is available in a GitHub repository with a warning for defensive testing only. The researchers urge server operators to apply mitigations immediately and to pressure vendors for timely updates. As one of the authors stated in the paper, “HTTP/2 Bomb is not a zero‑day in the buffer‑overflow sense; it’s a design‑day that’s been hiding in plain sight.”

The attack serves as a reminder that protocol compliance does not guarantee safety. Every feature that reduces round trips or saves bandwidth can also be turned into a weapon if its resource consumption is unbounded. The burden now shifts to server implementers to impose those bounds before attackers do.