HTTP/2 Bomb: How Default Configurations Open a New DoS Vector

HTTP/2 Bomb is a remote Denial-of-Service chain that combines header-related allocation amplification and HTTP/2 flow-control connection holding to exhaust memory on servers running default HTTP/2 configurations; it affects widely deployed stacks (nginx, Apache httpd/mod_http2, IIS, Envoy, Pingora), PoC code exists, patches are incomplete, and defenders are advised to patch where available or mitigate by disabling HTTP/2, enforcing header-count and connection limits, and monitoring HTTP/2 metrics.