A vulnerability at the very heart of how the modern Internet operates is disproportionately affecting organizations that have large, distributed footprints on the Web. Patches are available, but some idiosyncrasies in vendor rollouts have caused some confusion.

Earlier this spring, Calif security researcher Quang Luong used OpenAI’s Codex to discover an exploit now referred to as the “HTTP/2 Bomb.” As seems to be customary of severe, AI-discovered vulnerabilities, HTTP/2 Bomb — or, more formally, CVE-2026-49975 — creatively chains together two old, nondescript features of a core Web technology to help attackers amplify junk traffic by orders of magnitude. By causing denial of service (DoS) attacks without any need for authentication, the issue received a high-severity 7.5 CVSS score.

What stands out most of all about HTTP/2 Bomb is the sheer scale of vulnerable online infrastructure. Calif’s initial Shodan scan indicated that more than 880,000 websites support HTTP/2 and run one of the vulnerable types of servers: nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. Those server providers have been releasing fixes, and organizations are advised to patch immediately where possible.

Related:Security Community Slams US Ban on Exporting Mythos, Fable

What’s New with HTTP/2 Bomb

Shortly after the CVE-2026-49975 disclosure, Imperva reported that attackers in the wild were “running specialized tools designed to map out” vulnerable servers.

In the two weeks since, Pascal Geenens, director of threat intelligence for Radware, reports that there haven’t been any major, observable HTTP/2 Bomb attacks to date, perhaps because threat actors already have so many other ways to perform DoS attacks. Still, he notes that a working proof-of-concept (PoC) is publicly available, “And it’s easy to run. On the attacker side, you don’t need a lot of resources to pull it off.”

On the defender side, most servers now have dedicated patches available. Still, the rollout has been uneven. Nginx and Apache fixed the issue before public disclosure, and Envoy released its fix the day after publication. Microsoft took an extra week, releasing its mitigation on Patch Tuesday last week. Cloudflare has yet to patch the flaw.

Industries Most Affected by HTTP/2 Bomb

HTTP/2 bomb is non-discriminating. “Sometimes you see vulnerable technologies that are more in use in the banking sector, for example; this is not that,” says Igal Zeifman, CyCognito’s vice president of marketing. He estimates that somewhere between 80% to 90% of his firm’s customers are affected. “This is an everyman’s vulnerability,” he says.

Related:ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed

That said, CyCognito’s data suggests that certain industries are more impacted than others, simply because they run more Internet-connected servers than average. In its scanning, the firm found that about a quarter of vulnerable servers belong to organizations in communications industries — telecoms, media, and content businesses that manage traffic at scale, and where implementing the faster HTTP/2 is imperative. Following communications services are the IT (18%) and healthcare (17%) industries.

“The pattern points to a single underlying driver: the affected component is general-purpose web infrastructure,” the researchers wrote. “Apache httpd and nginx sit in front of applications in every industry, often provisioned years ago and rarely revisited once stable.”

How HTTP/2 Amplification Works

Amplification attacks are some of the oldest, simplest ways to cause disruptions on the Internet.

In the glory days of DDoS, amplification was how teen hackers took down corporate servers despite the limitations of their parents’ dial-up connections. For instance, servers running the 1999 first-person shooter (FPS) video game Quake III Arena would respond to small “getinfo” or “getstatus” requests with a variety of information about players, configurations, etc. Hackers learned that if they sent lots of getstatus requests to a Quake III Arena server, and instructed it to send its responses to a victim’s IP address, they could get a whole lot of bang for their buck, inputting a small volume of requests to generate a large volume of junk traffic against their target. 

Related:Claude Fable 5 Doesn’t Change the Mythos Security Story

Josiah White, a teenager who learned DDoS by recreating this technique, went on to create history’s most significant botnet, Mirai.

HTTP/2 Bomb operates off the same principle, but instead of taking advantage of a quirk in a particular kind of server, it exploits HTTP/2 itself. Ironically, it exploits two features that were expressly designed to save Internet bandwidth. The first, “HPACK,” unburdens clients and servers from having to trade the same header metadata back and forth by saving the data in shorthand, using an index. The second, “flow control,” prevents a client from being overloaded by a server’s responses.

In oversimplified terms, an attacker can send a continuous stream of tiny requests that force the server to create bigger header structures — akin to the Quake III Arena technique — then block the server’s ability to send responses back, and in turn relieve its memory stores to accommodate the endless stream of requests. The result: Even a laptop on home Wi-Fi can take out an nginx server in 45 seconds, or Envoy in 10.

“[For] a DDoS geek like me,” says Zeifman, “the implementation itself is very interesting, because HTTP/2 Bomb is not new. The idea of sending a small request in and then having it expand into your memory, and then they tie it in with a Slowloris type of attack — that keeps the connection open so you can send those small requests in — and suddenly you’re out of memory. It’s two very simple concepts. Why hasn’t anybody thought about that before?”

“Do whatever you can to patch as quickly as possible,” he warns organizations, “because if you’re running anything on the Internet, there is a very high chance that this is in scope for you.





Source link

#

Comments are closed