The Hidden Crack in the Web's Backbone
Here's something that keeps me up at night: the protocol running most of the internet right now has a design flaw that lets someone with a laptop on Wi-Fi take down an enterprise server in under a minute. No authentication required. No sophisticated tooling needed. Just two features that were supposed to make the web faster, twisted together into something devastating.
That's CVE-2026-49975, the so-called HTTP/2 Bomb. Discovered this spring by California security researcher Quang Luong using OpenAI's Codex, the vulnerability chains HPACK compression and HTTP/2 flow control into a memory-exhaustion attack that scores a 7.5 on the CVSS scale — high enough to demand immediate attention from anyone running public-facing infrastructure.
The numbers are staggering. A Shodan scan at disclosure pointed to more than 880,000 websites running vulnerable server software: nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. That's not a niche problem. That's the internet.
What makes this particularly gnarly from an infrastructure standpoint is that HTTP/2 Bomb doesn't discriminate by industry. It's not targeting banking systems or healthcare databases specifically — it's targeting the protocol itself, which means every organization with a web presence is potentially in scope. And as we'll see, some sectors are simply more exposed than others because they run more internet-connected servers at scale.
How the Amplification Actually Works
To understand why this matters, you need to understand what HPACK and flow control were designed for. Both are bandwidth-saving features baked into HTTP/2.
HPACK eliminates the need to repeatedly send identical header metadata by compressing it into shorthand using an index. Instead of every request carrying the full set of headers, the client and server maintain a shared compression table. Efficient? Absolutely. That's the whole point.
Flow control prevents a server from drowning in responses by regulating how much data flows between client and server at any given time. It's a pacing mechanism — think of it as the internet's version of "take turns."
The HTTP/2 Bomb exploits both features in sequence, and the elegance of the attack is almost impressive. An attacker sends a continuous stream of tiny requests that force the server to build increasingly large header structures — essentially stuffing HPACK's compression table until memory balloons. Then, using flow control as a shield, the attacker blocks the server's ability to send responses back. The server keeps allocating memory for incoming requests but can't free it through normal response cycles.
The result is a classic memory exhaustion. Even a laptop on home Wi-Fi can take out an nginx server in 45 seconds, or Envoy in as little as 10. No botnet required. No massive bandwidth investment.
Igal Zeifman, CyCognito's vice president of marketing, put it best: "For a DDoS geek like me, the implementation itself is very interesting. The idea of sending a small request in and then having it expand into your memory, and then they tie it in with a Slowloris type of attack — that keeps the connection open so you can send those small requests in — and suddenly you're out of memory. It's two very simple concepts. Why hasn't anybody thought about that before?"
The answer, unfortunately, is probably the same reason we keep finding zero-days in TLS: when you build systems for efficiency first and security second, the shortcuts become attack vectors.
Who's Actually in the Crosshairs
HTTP/2 Bomb is what security researchers call a non-discriminating vulnerability. "Sometimes you see vulnerable technologies that are more in use in the banking sector, for example; this is not that," Zeifman said.
But CyCognito's data tells a different story about who feels the pain most acutely. Their scanning found that roughly 25% of vulnerable servers belong to organizations in communications — telecoms, media companies, and content businesses that manage traffic at scale. HTTP/2 isn't optional for these organizations; it's imperative for performance.
Following communications, the IT sector accounts for about 18% of vulnerable servers, and healthcare comes in at 17%. These aren't coincidental numbers. They reflect organizations that have invested heavily in distributed web infrastructure and adopted HTTP/2 early because the performance gains were too compelling to ignore.
"The pattern points to a single underlying driver: the affected component is general-purpose web infrastructure," CyCognito's researchers wrote. "Apache httpd and nginx sit in front of applications in every industry, often provisioned years ago and rarely revisited once stable."
That last point is the real story here. Most organizations didn't deliberately choose to run vulnerable servers. They provisioned nginx or Apache years ago, it worked, they moved on. The infrastructure became invisible — which is exactly what makes it dangerous when a vulnerability like this surfaces.
The Patching Landscape: A Study in Inconsistency
Here's where the story gets frustrating. Patches exist. They're available. But the rollout has been uneven enough to create real gaps in coverage.
Nginx and Apache fixed the issue before public disclosure — which is exactly the kind of responsible vulnerability handling that inspires confidence. Envoy released its fix the day after publication. Fast, clean, professional.
Microsoft took an extra week, releasing its mitigation on Patch Tuesday last week. That's still reasonable by enterprise standards, but in a vulnerability landscape where proof-of-concept code is already circulating, that extra week represents real exposure.
Cloudflare has yet to patch the flaw. As of this writing, Pingora — their HTTP/2 proxy infrastructure — remains unmitigated. For an organization that sits at the edge of a significant portion of internet traffic, that's a notable gap.
The uneven timeline matters because it creates a moving target for defenders. Organizations running nginx or Apache can patch today and be done with it. Those on IIS need to verify their Patch Tuesday update landed. And anyone relying on Cloudflare Pingora is currently waiting.
Imperva reported shortly after disclosure that attackers were already "running specialized tools designed to map out" vulnerable servers. Two weeks later, Pascal Geenens at Radware noted no major observable attacks — likely because threat actors have plenty of other DoS techniques available. But a working proof-of-concept exists, it's easy to run, and the mapping tools are out there. The attack surface is being actively enumerated right now.
What Operations Teams Should Do Now
The guidance from every expert I've reviewed is blunt: patch immediately where possible.
For organizations running nginx or Apache, this likely means a straightforward update. Verify your current version, apply the patch, confirm the fix is active. Done.
For IIS environments, ensure your latest Patch Tuesday update has been applied and validated. If you're on a delayed patch cycle, prioritize this one.
For Envoy deployments, confirm your proxy layer is running the post-disclosure build. If you're managing Envoy through a service mesh, coordinate with your platform team to verify the update propagated correctly.
And for organizations relying on Cloudflare Pingora, there's not much to do but monitor. Watch for the patch announcement. Have a plan ready to execute the moment it lands.
Beyond individual server patches, here's what I think operations teams should consider: inventory your HTTP/2 exposure holistically. How many servers are running vulnerable software? Which ones handle the most traffic? What's your rollback plan if a patch breaks something?
The HTTP/2 Bomb is a reminder that efficiency and security aren't always aligned, and the features we adopt to make systems faster can become the very mechanisms that take them down. The organizations that will weather this aren't necessarily the ones with the biggest security budgets — they're the ones who know what's running in their infrastructure and can move fast when it matters.
The Bigger Picture: When Efficiency Becomes the Attack Surface
There's a pattern here that goes beyond any single vulnerability. Every major protocol improvement — HTTP/2, QUIC, even the compression algorithms that make modern web pages load in milliseconds — introduces new attack surfaces. The features designed to save bandwidth become the mechanisms for amplification.
HTTP/2 Bomb is particularly instructive because it was discovered using AI. Quang Luong used OpenAI's Codex to identify the exploit chain, which means this isn't a one-off. If AI can find vulnerabilities by systematically exploring protocol interactions, the floodgates are open.
The organizations that will thrive in this environment aren't the ones trying to eliminate risk entirely — that's impossible. They're the ones building operational patterns that let them respond fast: automated patch management, real-time vulnerability scanning, clear ownership of every server in the stack.
The HTTP/2 Bomb won't be the last protocol-level vulnerability of this kind. It might not even be the most damaging one. But it's a wake-up call that deserves attention: your infrastructure is probably more exposed than you think, and the features making it fast are the same ones making it vulnerable.