New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute

A new "HTTP/2 Bomb" DoS technique combines HPACK compression amplification and HTTP/2 flow-control stalling so a single client on a 100 Mbps link can exhaust tens of gigabytes of RAM on default configurations of major web servers (Envoy, Apache httpd, nginx, IIS) within seconds. PoC exploits exist and researchers report dramatic memory-amplification ratios (e.g., Envoy 5,700:1); patches/mitigations are available for some servers (nginx 1.29.8, Apache mod_http2 2.0.41 / CVE-2026-49975) while others (IIS, Envoy, Pingora) remained unpatched at time of writing—recommended mitigations include disabling HTTP/2 or placing proxies/WAFs that enforce header limits.