The denial-of-service (DoS) exploit takes advantage of two features in HTTP/2 that were designed to save Internet bandwith, not power massive amplification attacks.
June 15, 2026
A vulnerability at the very heart of how the modern Internet operates is disproportionately affecting organizations that have large, distributed footprints on the Web. Patches are available, but some idiosyncrasies in vendor rollouts have caused some confusion.
Earlier this spring, Calif security researcher Quang Luong used OpenAI's Codex to discover an exploit now referred to as the "HTTP/2 Bomb." As seems to be customary of severe, AI-discovered vulnerabilities, HTTP/2 Bomb — or, more formally, CVE-2026-49975 — creatively chains together two old, nondescript features of a core Web technology to help attackers amplify junk traffic by orders of magnitude. By causing denial of service (DoS) attacks without any need for authentication, the issue received a high-severity 7.5 CVSS score.
What stands out most of all about HTTP/2 Bomb is the sheer scale of vulnerable online infrastructure. Calif's initial Shodan scan indicated that more than 880,000 websites support HTTP/2 and run one of the vulnerable types of servers: nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. Those server providers have been releasing fixes, and organizations are advised to patch immediately where possible.
