- Codex Role: OpenAI Codex helped Calif, an AI red-teaming security group, expose HTTP/2 Bomb, which combines old HTTP/2 techniques into a practical server-memory attack.
- Attack Impact: Calif says one 100Mbps connection can make vulnerable servers unreachable within seconds and consume up to 32GB in Apache and Envoy tests.
- Exposure Caveat: Calif’s Shodan estimate found more than 880,000 sites running named server products, but that is not a confirmed exploitable-server count.
- Patch Map: nginx, Apache mod_h2, and Envoy have fixes or mitigations, while IIS and Pingora still need operator or vendor checks.
OpenAI Codex helped Calif, an AI red-teaming security group, expose HTTP/2 Bomb, a denial-of-service attack that combines old HTTP/2 compression and connection-holding techniques against current server defaults.
Calif estimates that more than 880,000 websites may need checking. The number comes from Shodan, a search engine for internet-facing servers, and counts sites that advertise HTTP/2 while running one of the server products Calif named. It is not a confirmed list of vulnerable servers, because CDN protection or private server setups can keep the underlying system from being directly exposed.
The named products are web-server and proxy software that handle HTTP/2 traffic: nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. The risk is not that an attacker needs huge traffic volume, but that vulnerable HTTP/2 handling can make a server hold far more memory than the request size suggests.
That memory imbalance is what makes the attack dangerous: Calif says one 100Mbps home connection can make a vulnerable server unreachable within seconds. Fixes and mitigations now vary by stack, with nginx, Apache mod_h2, and Envoy covered by public fixes or guidance while Microsoft is still investigating IIS mitigations.
Reverse-proxy buffering can keep low-and-slow traffic from reaching origin servers, a protection Cloudflare explains in its Slowloris mitigation guidance. Calif still lists Cloudflare Pingora among the server products with vulnerable default HTTP/2 behavior.
Cloudflare says its existing DDoS defenses already protect customers, but that statement does not answer the narrower question raised by Calif: whether Pingora’s default HTTP/2 behavior belongs in the affected set.
“A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds.”
Quang Luong, Calif researcher (via Calif)
The benchmark shows why the attack is dangerous even without a large botnet. A small stream of requests can force a vulnerable server to keep decoded HTTP/2 data in memory, so operators need to know whether their stack releases that memory quickly enough before the service becomes unreachable.
How HTTP/2 Bomb Turns Old Tricks Into Current Risk
The attack works by making a small HTTP/2 request become much larger after the server decodes its headers, then preventing the request from finishing normally. That pairing turns HPACK compression behavior and a Slowloris-style hold, where a connection is kept open to tie up server resources,
into a memory-exhaustion path.
When those behaviors combine, low-rate traffic can create outsized memory pressure if an HTTP/2 implementation lacks tight request or allocation limits. HPACK can expand compact header references into much larger decoded lists, while the flow-control stall keeps the request alive long enough for allocations to accumulate instead of clearing at normal request boundaries.
“Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack.”
Quang Luong, Calif researcher (via Calif)
For historical context, protocol work had already exposed the pieces. In 2015, RFC 7541 treated decoder memory exhaustion as a security concern for HTTP/2 header compression, and a later CVE-2016-6581 entry documented HPACK Bomb behavior.
A 2023 HTTP/2 Rapid Reset precedent showed that HTTP/2 implementation details can become large denial-of-service pressure points.
Calif’s public repository gives operators separate proof-of-concept tests for each named server. Each test runs the target under a memory limit and measures how much memory the attack makes it hold, with reported amplification from about 62:1 on Pingora to about 5,700:1 on Envoy.
Patch Status Now Depends on the Server Stack
nginx version 1.29.8 added the max_headers directive, and Apache’s mod_h2 v2.0.41 fixes cookie header accounting against LimitRequestFields. A later mod_h2 v2.0.42 release addresses an unrelated file-descriptor issue.
Envoy has a separate advisory for HTTP/2 memory exhaustion through cookie header size bypass and HPACK amplification. Versions before 1.39 are affected, with fixes in 1.35.11, 1.36.7, 1.37.3, and 1.38.1. The advisory assigns CVE-2026-47774 and rates the issue high severity with a 7.5 CVSS score.
Where a fix is not available, teams running affected servers can disable HTTP/2 where feasible or enforce hard header-count limits. Envoy also recommends tighter request header or cookie limits before traffic reaches Envoy.
Memory limits can reduce the blast radius by killing a worker process before the attack holds the whole machine near exhaustion. Envoy said one test OOM-killed an edge process under a 3 GB memory limit within a few seconds.
IIS and Pingora remain unresolved checks. Microsoft has not published detailed IIS mitigation guidance, while Cloudflare says customers are already protected even though Calif lists Pingora in the affected set.
Luong is scheduled to present the full technical details at the Real World AI Security conference on June 23-25, 2026, giving server teams a clearer point to watch for Microsoft or Cloudflare updates.
