One Laptop. One Connection. Every Website on Your Server — Gone in 60 Seconds.

CVE-2026–49975 "HTTP/2 Bomb" was discovered by an AI. It crashes nginx, Apache, and Microsoft IIS with a single request. Microsoft still hasn't patched it.

It started as a research experiment.

A security firm called Calif gave OpenAI's Codex a task: read the source code of the world's most widely deployed web servers and find vulnerabilities that human researchers had missed.

Codex read the codebases. It recognized something. It built an attack.

What it found was not a new bug. Both techniques it combined had been publicly known for a decade. Human researchers had seen each one individually and moved on. No one had put them together.

Codex did — in the time it takes to make a cup of coffee.

On June 3, 2026, Calif published the result: HTTP/2 Bomb. A remote denial-of-service exploit that crashes nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora — the web servers that collectively power the majority of the internet — using a single connection from a home laptop on a standard internet plan.

The attack potentially affects over 880,000 websites that support HTTP/2 and run default server configurations.

Microsoft IIS still has no patch.

What HTTP/2 Bomb Actually Does

The bomb targets HPACK — HTTP/2's header compression scheme. One byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. Combined with a zero-byte flow-control window that keeps the server from ever freeing any of it, memory fills up and never comes back.

In plain English: the attacker sends a specially crafted request that forces your web server to allocate enormous amounts of memory — and then blocks the server from releasing it. The server runs out of memory. It crashes. Or it becomes so slow it is effectively unreachable.

Researchers demonstrated that a system connected via a 100 Mbps internet link — a standard home or office connection — could consume tens of gigabytes of server memory in under a minute.

No botnet. No thousands of compromised machines. No sustained high-bandwidth attack.

One malicious customer, or one external attacker, can take down a shared server and every site running on it.

The Patch Status — And Why Microsoft IIS Is the Urgent Problem

This is where the story gets uncomfortable for a significant portion of enterprise IT.

nginx addressed the issue in version 1.29.8, introducing a new max_headers directive. Apache fixed the flaw in mod_http2 v2.0.41, assigned CVE-2026–49975.

However, the Apache fix exists only in the standalone mod_http2 module and has not been bundled into any released Apache httpd version — meaning a standard apt upgrade apache2 or yum update httpd will not deliver it. Apache deployments should be treated as effectively unpatched until a bundled release ships.

Envoy released a security patch on June 3, 2026. Microsoft IIS and Cloudflare Pingora have no fix available at this time.

Microsoft IIS remains common in enterprise Windows environments — the exact environments where IT teams assume their infrastructure vendor has their back. Right now, that assumption is wrong.

The Part Nobody Is Talking About — AI Found This

I want to step back from the patch status for a moment, because the story of how HTTP/2 Bomb was discovered is as important as the vulnerability itself.

Calif notes: "Both halves have been public for a decade. What Codex did was read the codebases, recognize that the two compose, and build the combined attack. That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers."

Read that carefully.

Two known techniques. Public for ten years. Five independent implementations of the HTTP/2 specification — nginx, Apache, IIS, Envoy, Pingora — all shipped the same vulnerable combination. Human security researchers examined these codebases for a decade and did not find it.

An AI found it in hours.

The fix commits are public and disclose the vectors directly. Any capable AI model can turn those diffs into a working exploit — which is exactly how Calif found that Microsoft IIS, Envoy, and Pingora are also vulnerable.

This is the new reality of vulnerability research: the same AI tools that defenders use to audit code are available to attackers to find and weaponize what defenders miss. The asymmetry that previously favored defenders — attackers had to find the needle, defenders just had to patch known issues — is collapsing.

HTTP/2 Bomb is not the first AI-discovered vulnerability. It will not be the last. The question is whether your infrastructure can survive the next one.

What You Need to Check Right Now

Are you running nginx? Upgrade to version 1.29.8 immediately. This is a standard update through your package manager. Run it today.

Are you running Apache httpd? A standard system update will NOT fix this. Applying the fix requires manually installing the updated mod_http2 module from Apache's standalone module releases. Until a bundled httpd release ships the fix, enforce stricter HTTP/2 concurrency limits at a load balancer or reverse proxy in front of Apache as a partial mitigation.

Are you running Microsoft IIS? No patch from Microsoft at time of publication. The recommended mitigation is to disable HTTP/2 entirely, or front IIS with a proxy that enforces a hard per-request header count cap. Monitor Microsoft's security advisories for an emergency patch.

Are you running Cloudflare Pingora? No patch available. Apply the same mitigation: disable HTTP/2 or enforce hard header limits at the proxy layer.

For all servers: Cap per-worker memory via cgroups, ulimit, or container limits. An OOM-killed worker that respawns is a far better failure mode than a machine pushed into swap.

The Bigger Picture: Your Web Infrastructure Was Built for a Different Era

HTTP/2 Bomb is a denial-of-service vulnerability. It crashes servers. It does not, by itself, give attackers access to data or allow code execution.

But "just a DoS" is cold comfort when your company's website, your customer portal, your API endpoints, and your internal web applications are all running on the affected servers.

For e-commerce businesses, a server crash during peak traffic is a revenue event. For SaaS companies, a crashed API is a customer churn event. For any business with a web presence — which is every business in 2026 — an attacker who can crash your server with a single connection from a home laptop has meaningful leverage over your operations.

IBM's X-Force Threat Intelligence Index 2026 identified that over the past five years, major supply chain and third-party breaches quadrupled — reflecting a shift where attackers target interconnected systems and trusted integrations rather than breaking through a single organization's defenses directly.

HTTP/2 Bomb fits this pattern exactly. It does not target your application. It targets the infrastructure your application runs on — the web server layer that sits below your security perimeter, that your firewall trusts by default, that your WAF was not designed to protect against.

The web server layer is infrastructure. Infrastructure gets forgotten until it fails.

The Network Layer Response

Here is what your network security stack should be doing right now, regardless of your patch status.

A properly configured next-generation firewall with application-layer inspection can identify and block malformed HTTP/2 requests that match the HTTP/2 Bomb pattern — even on servers that have not yet been patched. Fortinet, Cisco, and SonicWall all published detection signatures within 48 hours of the HTTP/2 Bomb disclosure. Organizations with active threat subscriptions on enterprise firewalls have a partial mitigation layer in place while vendor patches are still pending.

A Web Application Firewall configured to enforce hard limits on HTTP/2 header counts provides an additional blocking layer between the attacker and your web servers.

Neither of these replaces patching. But in the window between disclosure and patch availability — the window that currently affects every Microsoft IIS deployment on the planet — network-layer controls are the difference between exposure and partial protection.

This is why hardware procurement decisions made months ago matter today. A FortiGate or Cisco Firepower with an expired threat subscription cannot receive the HTTP/2 Bomb detection signatures. A device purchased through grey market channels may be running firmware that cannot be updated through official channels at all.

At Jazz Cyber Shield, we carry authorized Fortinet, Cisco, SonicWall, and WatchGuard hardware — all with valid manufacturer licensing and active threat subscription support. Every device receives the signatures that matter when something like HTTP/2 Bomb lands on a Wednesday morning with no IIS patch in sight.

The Wednesday Morning Question

On the morning of June 3, 2026, every organization running a default nginx, Apache, IIS, Envoy, or Pingora installation woke up to a new reality: a single attacker with a home internet connection could take their web infrastructure offline in under a minute.

Most of them did not know.

The ones who found out fastest — the ones with security monitoring, threat intelligence feeds, and active network detection — had hours to respond before the first exploitation attempts began showing up in server logs.

The ones still running on outdated hardware with expired threat subscriptions are finding out now.

HTTP/2 Bomb was published June 3, 2026. nginx has a patch available today. Apache requires a manual module update. Microsoft IIS still has no fix.

Check your web server versions. Apply available patches. Disable HTTP/2 on IIS until Microsoft ships a fix.

And then ask yourself when your network hardware last received a threat signature update.

Because Codex found this one. The next AI may not publish a disclosure first.

For enterprise network hardware with valid manufacturer licensing and active threat subscriptions — Fortinet, Cisco, SonicWall, WatchGuard — visit Jazz Cyber Shield. USA-based authorized reseller, fast nationwide shipping.

→ jazzcybershield.com