Security researchers have identified a remote denial-of-service attack technique that targets HTTP/2 compression handling across five of the most widely deployed web servers: NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The method chains header compression tricks to exhaust server memory and CPU with minimal attacker bandwidth, building on a class of vulnerability first cataloged a decade ago. Because HTTP/2 carries the bulk of encrypted web traffic, the flaw puts a broad swath of internet infrastructure at risk of disruption from relatively small, targeted requests.
How the HTTP/2 Bomb extends a known compression flaw
The attack draws on the same compression-abuse principle documented in the CVE-2016-6581 entry, which NIST’s National Vulnerability Database titled “HPACK Bomb.” That earlier vulnerability showed how a crafted HTTP/2 header block could decompress into a vastly larger payload on the server side, consuming memory far out of proportion to the data an attacker actually sent. The new technique goes further by chaining multiple compression operations together, turning a modest request into a cascading resource-exhaustion event that affects all five named server implementations.
HPACK is the header compression algorithm specified by HTTP/2. Servers that allow dynamic header table resizing give attackers additional room to amplify the ratio between compressed input and decompressed output. The chained approach exploits this by stacking compressed references so each layer multiplies the decompression cost. On servers where dynamic table resizing is enabled by default, the resulting amplification is substantially larger than what CVE-2016-6581 alone could achieve, because the attacker controls both the table size and the sequence of indexed references in a single connection.
The practical consequence is stark. A single attacker with limited upload bandwidth can force a production web server to allocate enough memory or burn enough CPU cycles to degrade service for all other users, or crash the process entirely. NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora each implement HPACK with slightly different internal defaults, but all five accept the compressed header sequences that trigger the bomb. That breadth is what separates this finding from earlier, implementation-specific bugs: the flaw sits in how the protocol’s compression layer interacts with real-world server configurations, not in a single vendor’s code.
Because HTTP/2 is commonly used over TLS, many operators assume that encrypting traffic neutralizes protocol-level abuse. The chained HPACK attack undercuts that assumption by showing that even fully encrypted sessions can carry highly asymmetric workloads, where the server pays a far higher processing cost than the client. The attack does not break encryption or confidentiality; instead, it weaponizes legitimate compression behavior to deny service.
NIST records and institutional research trace the risk class
The original HPACK Bomb vulnerability was published through the NIST National Vulnerability Database, and its record remains the primary reference for the compression-abuse risk class in HTTP/2. CVE-2016-6581 documented how HPACK-related denial-of-service abuse could be triggered remotely, establishing the baseline threat model that the new chained technique extends. NIST’s broader security configuration resources, including its Common Configuration Enumeration listings, reference compression-related controls that apply to web server hardening, though none of these records yet address the specific chaining behavior described in the current findings.
No new CVE identifier for the chained HTTP/2 Bomb has appeared in NIST’s database as of early June 2026. That gap matters because without a dedicated CVE, automated vulnerability scanners and patch-management tools cannot flag affected systems. Operators who rely on CVE-based alerting will not see a signal until NIST or another numbering authority assigns and publishes a new entry. The absence of a formal identifier also slows coordinated disclosure, since vendors typically track remediation timelines against specific CVE records.
Institutional research groups have studied compression-side-channel and compression-bomb attacks for years. Work cataloged through university security laboratories has examined how protocol-level compression creates exploitable asymmetries between sender cost and receiver cost. That body of research established the theoretical foundation for the current findings, but the specific multi-server reproduction details and amplification measurements for the chained HTTP/2 Bomb have not yet been published in a peer-reviewed venue or formal advisory.
Historically, once a vulnerability class is recognized, standards bodies and vendors move toward mitigation patterns that can be applied across products. In this case, the underlying risk arises from the interaction of HPACK’s dynamic table features with permissive server limits. Until that interaction is formally codified in a new advisory or standards update, operators must infer best practices from earlier compression-bomb guidance and from the limited technical information researchers have shared.
Open questions for server operators and vendors
Several pieces of the picture are still missing. No public advisory from NGINX, Apache, Microsoft, the Envoy project, or Cloudflare has confirmed the vulnerability or announced patches. Without vendor acknowledgment, operators cannot be certain which software versions are affected or whether existing configuration options, such as limiting HPACK dynamic table size, fully mitigate the attack. The lack of a new CVE entry means there is no standardized severity score to guide prioritization.
The amplification ratio of the chained technique relative to the original HPACK Bomb also lacks a published, independently verified measurement. Researchers have described the chained approach as producing significantly higher resource consumption per byte of attacker traffic, but controlled test results against each of the five named servers have not been released in a form that third parties can reproduce. Until those numbers are public, defenders are working from general guidance rather than precise risk calculations.
For organizations running any of the five affected servers, the most immediate step is to review HTTP/2 configuration settings related to HPACK dynamic table size and maximum header list size. Reducing the dynamic table size limit shrinks the amplification window, though it may slightly increase bandwidth usage for legitimate traffic. Monitoring memory and CPU consumption for unusual spikes in HTTP/2 processing threads can also provide early warning that a compression-based attack is underway.
Operators should also consider rate-limiting or connection-level controls that cap the number of header blocks or requests a single client can send over a given time window. Because the chained HPACK attack relies on repeated decompression work within one or a few connections, throttling those connections can blunt the impact even when the underlying compression behavior remains unchanged. Logging detailed HTTP/2 frame statistics, where available, can help distinguish between normal high-traffic conditions and a deliberate attempt to trigger the bomb.
From the vendor side, clarifying default settings is a pressing need. If a server ships with a very large dynamic table size or generous header limits, it will be more vulnerable to compression abuse than an otherwise identical deployment with conservative defaults. Vendors may need to revisit those defaults, document the trade-offs more clearly, and provide hardened configuration profiles aimed at high-risk environments such as public-facing APIs and large content platforms.
Longer term, the HTTP/2 and HPACK specifications themselves may warrant review. While the protocol allows dynamic table resizing for efficiency, it leaves implementation details and safety checks to individual products. Standardizing guidance on safe upper bounds, or defining protocol-level mechanisms for signaling resource pressure, could help reduce the risk that a single crafted stream can monopolize server resources. Any such changes would need to balance performance, compatibility, and security across a vast installed base.
Until formal advisories and updated standards emerge, defenders are left in a familiar position: applying conservative configuration changes, tuning monitoring, and preparing incident-response plans based on an evolving understanding of the threat. The chained HTTP/2 Bomb does not introduce a brand-new vulnerability class, but it demonstrates that long-known compression weaknesses can resurface in more potent forms when widely deployed protocols and default settings align in the attacker’s favor.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
