On June 3, researchers at security firm Calif disclosed a remote denial-of-service exploit they're calling the 'HTTP/2 Bomb' (CVE-2026-49975) that can take down a web server from a single home internet connection — no botnet, no password, no warning. It affects the default HTTP/2 configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora, which together power a huge slice of the public internet. If your small business runs a website, an e-commerce store, a customer portal, or a self-hosted app on any of these platforms, your site can be knocked offline in under a minute by one attacker.
What the HTTP/2 Bomb actually does
The exploit chains two old tricks into one new attack. The 'bomb' targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. The 'hold' is a zero-byte flow-control window that keeps the server from ever freeing any of it. The result is brutal: a home computer on a 100 Mbps connection can render a vulnerable server inaccessible within seconds, and against Apache httpd and Envoy a single client can consume and hold 32GB of server memory in roughly 20 seconds.
This isn't a theoretical risk. The vulnerability affects nginx, Apache httpd, Microsoft IIS, Envoy proxy, and Cloudflare Pingora, with over 880,000 public-facing servers confirmed exposed via Shodan scan. The accompanying public proof-of-concept code released with the research significantly lowers the technical barrier for adversaries seeking to weaponize the technique — moving the threat from theoretical to operational without requiring independent vulnerability research.
Patch status: NGINX is fixed, Apache is partial, IIS is exposed
The fix situation is uneven, which is why this matters right now:
NGINX users should upgrade to 1.29.8+, which adds the max_headers directive with a default of 1000. If upgrade is not an option, it's recommended to disable HTTP/2 with 'http2 off;'. Apache HTTPD is fixed in mod_http2 v2.0.41; if upgrade is not an option, set 'Protocols http/1.1' to disable HTTP/2. Microsoft IIS, Envoy, and Cloudflare Pingora have no patch available as of writing.
There's a nasty wrinkle on Apache: the fix exists in the standalone mod_http2 module but has not been bundled into any released Apache httpd version. This is the largest patch gap at time of publication. A standard 'apt upgrade apache2' or 'yum update httpd' will not deliver it. Applying the fix requires manually installing the updated mod_http2 module from Apache's module releases. Until a bundled httpd release ships the fix, Apache deployments should be treated as effectively unpatched.
For Windows-based small businesses running IIS — common for line-of-business web apps and accounting portals — IIS has roughly 68:1 amplification, no patch from Microsoft at time of publication, and no CVE assigned to the IIS variant. Rate limiting at the connection level and monitoring for connections with sustained zero-window flow-control are the available partial mitigations.
Why this matters for a small business
If your website goes down, your phone stops ringing, your online orders stop, and your customers lose trust — sometimes permanently. Until today, taking down a web server required resources: a botnet, thousands of compromised machines, and coordinated high-volume traffic. A vulnerability disclosed today changes that equation. The HTTP/2 Bomb lets a single attacker exhaust the memory of nginx, Apache, and IIS servers from one connection until they crash or stop responding. No botnet. No high bandwidth. No authentication required. For hosting providers, the business implication is direct: one malicious customer, or one external attacker, can take down a shared server and every site running on it.
There's also a bigger trend lurking inside this story. The exploit was discovered using OpenAI's Codex, which combines a compression bomb that targets HTTP/2's header compression scheme with a Slowloris-style hold that prevents the server from freeing memory. What Codex did was read the codebases, recognize that the two compose, and build the combined attack — a combination that is obvious once you see it, and yet as far as Calif can tell, no human had put it together against these servers. AI tools are now finding and weaponizing bugs faster than vendors can ship patches, which is exactly why a proactive provider matters more than a reactive one. We use the same kind of AI tooling defensively as part of York Computer's AI automations work — automating patch checks and ticket triage so nothing slips.
What your managed IT provider should be doing this week
A competent MSP shouldn't wait for a customer to call about a slow website. By the end of this week, your provider should have done the following:
1. Inventoried every public-facing web server you own or rely on — your website, customer portal, scheduling tool, online store, VPN appliance, or any device with a web admin page exposed to the internet — and confirmed whether HTTP/2 is enabled.
2. Pushed NGINX up to 1.29.8 or later anywhere it runs, including inside virtual appliances and containers.
3. Identified Apache HTTPD instances and either applied the standalone mod_http2 v2.0.41 fix or disabled HTTP/2 with 'Protocols http/1.1' as a temporary measure.
4. For Microsoft IIS servers, applied connection-level rate limiting and monitoring for the zero-window stall pattern until Microsoft ships a fix — or fronted IIS with a patched reverse proxy.
5. Confirmed that web hosting providers and CDN vendors handling your traffic have a remediation plan and timeline.
If you don't know what HTTP/2 is, that's fine — your provider should. Patch management, vulnerability monitoring, and emergency mitigation for newly disclosed flaws are the bread and butter of our managed IT services lineup, and an exploit like this is exactly the scenario a real MSP earns its keep on.
What York Businesses Should Do
York County businesses running e-commerce sites, customer portals, or self-hosted apps on Windows Server / IIS are the most exposed right now because Microsoft hasn't shipped a fix yet. If you're not sure whether your web server is patched, call York Computer this week — a five-minute check beats a multi-day outage during summer sales season.
Sources
- New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare
- 'HTTP/2 Bomb' Exploit Knocks Web Servers Offline in Seconds
- CVE-2026-49975 HTTP/2 Bomb Hits nginx, Apache, Envoy, and Cloudflare
- HTTP/2 Bomb: nginx Patched, Apache Not
- Codex Discovered a Hidden HTTP/2 Bomb — Calif