Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw
Vulnerability
Summary
Hide ▲
Show ▼
Researchers disclosed HTTP/2 Bomb, a remote denial-of-service vulnerability in default HTTP/2 configurations that can make NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora inaccessible. The flaw enables memory exhaustion by chaining a compression bomb with a Slowloris-style hold.
Related Happenings
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/Mitigation
H score46
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
How related:
To counter the vulnerability, it's advised to apply the following mitigations -
About this happening:
Calif issued mitigation guidance for NGINX and Apache HTTPD operators after HTTP/2 Bomb was found to enable a remote denial-of-service against default HTTP/2 confi...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/MitigationHow related: To counter the vulnerability, it's advised to apply the following mitigations -
About this happening: Calif issued mitigation guidance for NGINX and Apache HTTPD operators after HTTP/2 Bomb was found to enable a remote denial-of-service against default HTTP/2 confi...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
H score46
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
openDCIM is seeing an active exploitation wave tied to CVE-2026-28515, CVE-2026-28516, and CVE-2026-28517, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: openDCIM is seeing an active exploitation wave tied to CVE-2026-28515, CVE-2026-28516, and CVE-2026-28517, with attackers targeting vulnerable installations an...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
H score89
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
CVE-2025-55182 (React2Shell) was publicly disclosed on December 3, 2025 as a CVSS 10 remote code execution flaw in React Server Components. Since then, the vulnera...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: CVE-2025-55182 (React2Shell) was publicly disclosed on December 3, 2025 as a CVSS 10 remote code execution flaw in React Server Components. Since then, the vulnera...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware Activity
H score23
First: 05.02.2026 19:25
Last: 05.02.2026 19:25
Sources 1
About this happening:
The AISURU/Kimwolf botnet is a malware activity cluster tied to hyper-volumetric DDoS attacks and large-scale device conscription. On 2025-12-04, Cloudflare said i...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware ActivityAbout this happening: The AISURU/Kimwolf botnet is a malware activity cluster tied to hyper-volumetric DDoS attacks and large-scale device conscription. On 2025-12-04, Cloudflare said i...
Latest development: 20.03.2026 08:25
The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.
PhantomCaptcha WebSocket RAT PowerShell delivery chain
Malware Activity
H score22
First: 24.10.2025 15:15
Last: 24.10.2025 15:15
Sources 1
About this happening:
PhantomCaptcha delivered a WebSocket RAT on October 8 through a multi-stage PowerShell chain that let operators run commands, exfiltrate data, and load more malwar...
PhantomCaptcha WebSocket RAT PowerShell delivery chain
Malware ActivityAbout this happening: PhantomCaptcha delivered a WebSocket RAT on October 8 through a multi-stage PowerShell chain that let operators run commands, exfiltrate data, and load more malwar...
Timeline
-
03.06.2026 11:33 2 articles · 1mo ago
Researchers disclose HTTP/2 Bomb remote denial-of-service flaw
Initial DisclosureResearchers disclosed HTTP/2 Bomb, a remote denial-of-service flaw affecting default HTTP/2 configurations in NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. Calif said the issue was discovered by OpenAI Codex by chaining a compression bomb with a Slowloris-style hold against HPACK, letting a client force repeated header allocations and keep server memory pinned.
Show sources
- New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare — thehackernews.com — 03.06.2026 11:33
- New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare — thehackernews.com — 03.06.2026 11:33