Find notable cyber news and cases, enriched with sources, timelines, and signals.

Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw

Vulnerability
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

Researchers disclosed HTTP/2 Bomb, a remote denial-of-service vulnerability in default HTTP/2 configurations that can make NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora inaccessible. The flaw enables memory exhaustion by chaining a compression bomb with a Slowloris-style hold.

Related Happenings

NGINX and Apache HTTPD HTTP/2 Bomb mitigations

Advisory/Mitigation
H score46 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

How related: To counter the vulnerability, it's advised to apply the following mitigations -

About this happening: Calif issued mitigation guidance for NGINX and Apache HTTPD operators after HTTP/2 Bomb was found to enable a remote denial-of-service against default HTTP/2 confi...

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
H score46 First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: openDCIM is seeing an active exploitation wave tied to CVE-2026-28515, CVE-2026-28516, and CVE-2026-28517, with attackers targeting vulnerable installations an...

React2Shell (CVE-2025-55182) mass scanning and exploitation wave

Exploitation Wave
H score89 First: 20.02.2026 23:07 Last: 20.02.2026 23:07 Sources 1

About this happening: CVE-2025-55182 (React2Shell) was publicly disclosed on December 3, 2025 as a CVSS 10 remote code execution flaw in React Server Components. Since then, the vulnera...

AISURU/Kimwolf hyper-volumetric DDoS botnet activity

Malware Activity
H score23 First: 05.02.2026 19:25 Last: 05.02.2026 19:25 Sources 1

About this happening: The AISURU/Kimwolf botnet is a malware activity cluster tied to hyper-volumetric DDoS attacks and large-scale device conscription. On 2025-12-04, Cloudflare said i...

Latest development: 20.03.2026 08:25

The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

PhantomCaptcha WebSocket RAT PowerShell delivery chain

Malware Activity
H score22 First: 24.10.2025 15:15 Last: 24.10.2025 15:15 Sources 1

About this happening: PhantomCaptcha delivered a WebSocket RAT on October 8 through a multi-stage PowerShell chain that let operators run commands, exfiltrate data, and load more malwar...

Timeline

  1. 03.06.2026 11:33 2 articles · 1mo ago

    Researchers disclose HTTP/2 Bomb remote denial-of-service flaw

    Initial Disclosure

    Researchers disclosed HTTP/2 Bomb, a remote denial-of-service flaw affecting default HTTP/2 configurations in NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. Calif said the issue was discovered by OpenAI Codex by chaining a compression bomb with a Slowloris-style hold against HPACK, letting a client force repeated header allocations and keep server memory pinned.

    Show sources