Fedora Account System
Red Hat Associate
Red Hat Customer
We’re publishing HTTP/2 Bomb, a remote denial-of-service exploit against most major web servers, including: nginx Apache httpd Microsoft IIS Envoy Cloudflare Pingora The vulnerable behavior exists in each server's default HTTP/2 configuration. The attack was discovered by Codex, which chained two techniques known to humans for a decade: a compression bomb and a Slowloris-style hold. The bomb targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it. A curious search on Shodan revealed 880,000+ websites supporting HTTP/2 and running one of these servers, though many sit behind a CDN, which is much harder to bring down. A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:25057 https://access.redhat.com/errata/RHSA-2026:25057
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2026:25090 https://access.redhat.com/errata/RHSA-2026:25090
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:25225 https://access.redhat.com/errata/RHSA-2026:25225
This issue has been addressed in the following products: Red Hat JBoss Core Services 2.4.62.SP4 Via RHSA-2026:27201 https://access.redhat.com/errata/RHSA-2026:27201
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2026:27200 https://access.redhat.com/errata/RHSA-2026:27200
Errata for nginx is missing.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:36373 https://access.redhat.com/errata/RHSA-2026:36373
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On Via RHSA-2026:36831 https://access.redhat.com/errata/RHSA-2026:36831
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:36846 https://access.redhat.com/errata/RHSA-2026:36846