New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

Jun 3, 2026

Cybersecurity researchers have discovered a remote denial-of-service exploit that affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.

The vulnerability has been codenamed HTTP/2 Bomb by Calif.

“The vulnerable behavior exists in each server’s default HTTP/2 configuration,” the company said, adding it was discovered by OpenAI Codex by chaining

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

Free Network Consultation
||
Free IT Buyers Guide
||
Limited Time Only

CONTACT US

We are always ready to help you

Get Free Report & Network Analysis

Please check your email for the free report.