Black & White Path

Jun 4, 2026 · Information Security

Hidden HTTP/2 Bomb Discovered by Codex Can Cripple Millions of Servers

The Codex team uncovered a new HTTP/2 bomb that exploits HPACK compression and a zero‑byte window stall, allowing an attacker with just 100 Mbps bandwidth to consume up to 32 GB of memory on vulnerable servers such as nginx, Apache, IIS, Envoy and Cloudflare Pingora within seconds, and the article details the attack mechanics, historical context, disclosure timeline, and mitigation strategies.