The Hacker News

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

HTTP/2 Bomb exploits HPACK and flow control; a single client can hold 32GB memory in 20 seconds, causing server outages.
SecurityWeek

‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds

The HTTP/2 Bomb exploit chains two known denial-of-service (DoS) attack techniques to knock major web servers offline.
TechRadar

OpenAI’s Codex helps discover HTTP/2 Bomb DoS attack that can nuke over 30GB of RAM within seconds, knocking web servers offline before they can react

We can thank AI for a new denial-of-service (DoS) technique that can knock a server offline in mere seconds, using nothing but a single computer with a 100 Mbps connection. Earlier this week, ...
Dark Reading

Free Tool Scans Web Servers for Vulnerability to HTTP Header-Smuggling Attacks

A researcher has created a method for testing and identifying how HTTP/HTTPS headers can be abused to sneak malicious code into back-end servers. Daniel Thatcher, researcher and penetration tester at ...
Security Boulevard

Imperva Customers Protected Against CVE-2026-49975 (HTTP/2 Bomb) DoS

TL;DR: CVE-2026-49975, dubbed the “HTTP/2 Bomb,” is a critical remote Denial-of-Service (DoS) vulnerability affecting default HTTP/2 configurations of major web servers including NGINX, Apache HTTPD, ...