By ByteBot
OpenAI’s Codex just found a way to knock almost any HTTP/2-enabled web server offline using a regular home internet connection — and it affects nginx, Apache HTTPD, Windows IIS, and Envoy simultaneously. The vulnerability is tracked as CVE-2026-49160 on Windows and CVE-2026-49975 elsewhere. It landed in Microsoft’s largest Patch Tuesday ever — 206 CVEs patched in a single release. Patches are available now. This one needs to move to the top of your queue.
How Two Old Tricks Became One Very Bad Day
The HTTP/2 Bomb is not a new class of bug — it is a combination of two HTTP/2 protocol behaviors that researchers have known about separately for years. Quang Luong at offensive security firm Calif was working with OpenAI’s Codex when the model read through server codebases and recognized that the two techniques compose into a devastating attack. As Luong put it in the Calif disclosure post: “That combination is obvious once you see it, and yet as far as we can tell no human had put it together against these servers.”
Here is how it works. HTTP/2 uses HPACK to compress request headers. The exploit sends a crafted request that triggers thousands of per-entry memory allocations on the server — the decoded content is nearly nothing, so the decoded-size limits do not fire, but the server allocates bookkeeping overhead for every entry anyway. That is the compression bomb half. The second half is a flow-control hold: the attacker sets their receive window to zero bytes, signaling the server to pause sending. The server has already allocated the memory and now it cannot free it. RAM just sits there, growing, until the process crashes or the machine falls over.
In Calif’s lab tests, a vulnerable IIS server exhausted 64 GB of RAM in approximately 45 seconds. Red Hat’s analysis showed 32 GB gone in 10 seconds on a vulnerable Envoy deployment. A 100 Mbps residential connection is sufficient to execute this. A Shodan scan found over 880,000 public-facing servers exposed.
Who Is Affected
| Server | CVE | Status | Fix |
|---|---|---|---|
| nginx | CVE-2026-49975 | Patched | Upgrade to 1.29.8+ (adds max_headers directive) |
| Apache HTTPD | CVE-2026-49975 | Patched | mod_http2 v2.0.41+ |
| Windows IIS / HTTP.sys | CVE-2026-49160 | Patched | June 2026 Patch Tuesday (KB5102602) |
| Envoy | CVE-2026-47774 | Patched | 1.35.11, 1.36.7, 1.37.3, or 1.38.1 |
| Cloudflare Pingora | — | Safe | No action — DDoS mitigations auto-detect the attack |
| HAProxy | — | Safe | Architecturally protected; optional config hardening available |
How to Patch or Mitigate
The fastest path is to upgrade your server package. If you cannot upgrade immediately, disable HTTP/2 as a temporary measure.
nginx (Debian/Ubuntu):
sudo apt update && sudo apt install nginx
nginx -v # confirm 1.29.8 or laterIf you cannot upgrade right now, disable HTTP/2 in your nginx config:
# Remove http2 from the listen directive
listen 443 ssl; # was: listen 443 ssl http2;Windows IIS — after applying the June Patch Tuesday update, Microsoft added a MaxHeadersCount registry key that caps HTTP/2 and HTTP/3 headers per request. Apply it via PowerShell:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" `
-Name "MaxHeadersCount" -Value 100 -Type DWordApache HTTPD: Update mod_http2 to v2.0.41 or later. On RHEL/CentOS/Fedora: dnf update httpd. On Debian/Ubuntu: apt upgrade apache2.
If you are sitting behind Cloudflare CDN, the attack is blocked at the edge — but patch your origin server anyway. A misconfigured allowlist or origin IP leak could still expose you.
AI Found This Before Humans Did
The Codex/Calif discovery is an early signal of where security research is heading. The attack components were individually documented in HTTP/2 RFC discussions and prior research. Codex read the relevant codebases, recognized the composition, and produced a working exploit — before any human had published this combination. This is not magic; it is pattern recognition across a codebase at a scale and speed that humans struggle to match.
The uncomfortable implication: if Codex found this one, the same technique will find more. Complex protocols like HTTP/2 and HTTP/3 have interaction surfaces large enough that combinatorial attacks are probably underexplored. Defenders need to treat AI-assisted research as the new baseline for what attackers can do, not a future threat.
The Rest of June’s Record Patch Tuesday
While you are applying the June 2026 update, you are also getting fixes for two other public zero-days: CVE-2026-45586 (Windows CTFMON elevation of privilege — grants SYSTEM via improper link resolution) and CVE-2026-50507 (BitLocker bypass via USB/EFI files in the Windows Recovery Environment). At 206 CVEs total, this is the largest Patch Tuesday Microsoft has ever shipped. Do not let the scale be an excuse to defer it. Check the official Microsoft Security Response Center advisory for the full update list and affected Windows Server versions.
Apply the June 2026 Windows security update. Upgrade nginx to 1.29.8. Update mod_http2 on Apache. Check your Envoy version. If you run HTTP/2 on a public-facing server without a CDN in front of it, this is urgent — a single residential connection is all an attacker needs. For Linux deployments, Red Hat’s security bulletin RHSB-2026-007 covers the full patching guidance for both nginx and httpd.
