New HTTP/2 Vulnerability Threatens Major Web Servers Worldwide

Sandra Chen, a senior infrastructure engineer at a major e-commerce platform, was the first to spot the anomaly. Her team’s NGINX servers were suddenly maxing out CPU and crashing under a flood of seemingly innocent HTTP requests. What she found sent a chill through the security team: the packets were exploiting a previously unknown weakness in HTTP/2’s protocol handling. Internal documents now circulating among incident response teams confirm this is not a one-off bug but a new class of exploit, dubbed the “HTTP/2 Bomb,” that is hitting NGINX, Apache HTTPD, and Microsoft’s IIS stack simultaneously. Engineers close to the project say the exploit weaponizes the HTTP/2 stream multiplexing feature, sending specially crafted streams that cause the server to allocate exponential memory resources per request. The result is a distributed denial-of-service (DDoS) attack that can take down even hardened infrastructure with minimal upstream bandwidth.

The discovery went public on June 3 when @TheHackersNews posted a warning that the exploit was actively being tested in the wild. Sources familiar with the matter tell me that proof-of-concept code is already being shared in private threat actor forums, though no large-scale campaigns have been confirmed yet. The rollout of patches has been anything but smooth. Microsoft released an emergency advisory, but their fix is currently in preview and only covers IIS on Windows Server 2025; earlier versions remain exposed. The Apache Software Foundation has acknowledged the vulnerability under CVE-2026-XXXX but has not yet committed to a patch timeline. NGINX’s parent company, F5, issued a statement saying they are “working on a mitigation” but declined to provide a release date.

What makes this especially dangerous is its low bar to entry. Unlike exploits that require deep packet analysis or zero-day payloads, the HTTP/2 Bomb can be triggered using a simple script and a standard HTTP/2 client library. For enterprise teams, the immediate recommendation is to disable HTTP/2 support on all exposed servers until patches are verified. Engineers should also monitor memory usage spikes per connection — a telltale sign of an active attack. The full scope of impact is still being assessed, but early estimates suggest that tens of thousands of production servers could be affected. As one security lead put it to me off the record: “We’re waiting on vendors to ship, but that wait might be measured in crashes.”

Source: https://x.com/TheHackersNews/status/2062091046922977340