The denial-of-service (DoS) exploit takes advantage of two features in HTTP/2 that were designed to save Internet bandwith, not power massive amplification attacks.
A newly disclosed denial-of-service vulnerability, tracked as CVE-2026-49975, shows how long-known HTTP/2 weaknesses can still be chained into a highly effective modern attack. SecurityWeek reports that researchers at Calif demonstrated an HTTP/2 Bomb exploit capable of knocking major web servers offline within seconds by combining a compression bomb with a Slowloris-style hold that prevents the […]
HTTP/2 Bomb: How Default Configurations Open a New DoS Vector A newly disclosed Denial-of-Service (DoS) technique dubbed HTTP/2 Bomb can crash or stall servers that run default HTTP/2 configurations across several widely deployed stacks. The technique chains two behaviors that are individually familiar to defenders: header-related amplification and Slowloris-style connection holding. Combined, they can exhaust […]
Bei gängigen Webservern wie Nginx, Apache HTTPD und Microsoft IIS lässt sich mit wenig Aufwand innerhalb von Sekunden der Speicher fluten. (Sicherheitslücke, Apache)
A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds. […]
The default HTTP/2 configuration of major web servers is vulnerable to an attack chain combining a compression bomb and a Slowloris-style hold. The post ‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds appeared first on SecurityWeek.