New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

Researchers disclosed the "HTTP/2 Bomb," a remote DoS exploit that leverages HPACK header-compression amplification plus a zero-byte flow-control hold to pin large amounts of memory on HTTP/2 servers (NGINX, Apache HTTPD, Microsoft IIS, Envoy, Cloudflare Pingora). A single client can reportedly consume and hold tens of gigabytes (e.g., ~32GB against Apache/Envoy in ~20 seconds); patches or configuration mitigations exist for NGINX and Apache, while other vendors had no fixes at the time of reporting.