A newly discovered vulnerability, dubbed the HTTP/2 Bomb, allows for remote denial-of-service (DoS) attacks on several major web servers, including NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare. This exploit takes advantage of a flaw in the default HTTP/2 configuration of these servers, enabling attackers to launch a DoS attack. The vulnerability was identified by chaining OpenAI Codex, highlighting the potential for artificial intelligence to uncover complex security issues. The affected servers are widely used, making this vulnerability a significant concern for organizations relying on these technologies. The HTTP/2 Bomb vulnerability can be used to overwhelm a server, rendering it inaccessible to legitimate users1. This vulnerability matters to practitioners because it can be exploited by attackers to take down critical web infrastructure, emphasizing the need for prompt patches and configuration updates to prevent such attacks.
New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare
⚡ High Priority
Why This Matters
Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare.
References
- The Hacker News. (2026, June 3). New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare. *The Hacker News*. https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
Original Source
The Hacker News
Read original →