June 4, 2026

Calif reveals HTTP/2 Bomb exploit affecting 880,000 websites

The recently discovered HTTP/2 Bomb exploit can incapacitate web servers in seconds by leveraging vulnerabilities in HTTP/2’s header compression and flow-control mechanisms. Identified by cybersecurity firm Calif, this exploit affects over 880,000 websites using default configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora. Although the individual techniques have been public for years, an AI system using OpenAI’s Codex was able to combine them into a single attack vector. Proactive responses from NGINX and Apache HTTPD led to the release of patches addressing the vulnerabilities, but other servers, including Microsoft IIS, have yet to receive fixes.

Calif: Calif is a California-based cybersecurity firm focused on vulnerability research and exploit development. It identified the HTTP/2 Bomb by leveraging OpenAI’s Codex to analyze server codebases and combine previously disclosed issues into a new attack vector. The firm released proof-of-concept code demonstrating the exploit against multiple web server implementations.
Envoy: Envoy is an open-source edge and service proxy used in cloud-native environments. It supports HTTP/2 and was listed among the implementations potentially impacted by the HTTP/2 Bomb exploit without a patch at disclosure.
NGINX: NGINX is a widely used open-source web server and reverse proxy software. It was among the servers affected by the HTTP/2 Bomb exploit and addressed the underlying issues through an update released in April.
Apache HTTPD: Apache HTTPD is a major open-source web server project. It faced the HTTP/2 Bomb exploit chaining older vulnerabilities and deployed fixes in late May along with an associated CVE entry.
Microsoft IIS: Microsoft IIS is Microsoft’s web server software included in Windows Server. It supports HTTP/2 and was identified as potentially vulnerable to the HTTP/2 Bomb attack with no patch available at the time of disclosure.
Cloudflare Pingora: Cloudflare Pingora is Cloudflare’s custom-built HTTP proxy and server platform. It supports HTTP/2 and was noted as potentially vulnerable to the HTTP/2 Bomb attack with no patch released at the time of the report.

Server Patches: NGINX and Apache HTTPD have both released updates addressing the chained vulnerabilities underlying the exploit.
Attack Characteristics: The technique relies on memory exhaustion through HTTP/2 header compression and flow-control manipulation rather than traditional size-based amplification.
Vulnerability Discovery: The HTTP/2 Bomb exploit was assembled by an AI system that recognized how multiple long-public issues could be combined into a single effective attack.