Codex Chained Two Decade-Old Bugs Into a Working HTTP/2 Bomb

5 min read Multiple sources

On June 2, security firm Calif disclosed HTTP/2 Bomb, a remote denial-of-service exploit against the default HTTP/2 setup on nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora — roughly 880,000 public-facing servers by a Shodan sweep. A single attacker on a home internet connection can pin 32 GB of Envoy memory in about ten seconds, and do the same to Apache in eighteen. The exploit was put together by OpenAI's Codex, an AI coding agent, chaining two techniques the security community has known about for a decade.

Four terminal windows showing Apache httpd, Envoy, nginx, and Microsoft IIS each having their memory drained by HTTP/2 Bomb, played at 2× speed.
Source: Calif

The chain

Both halves of the attack are old. HPACK is HTTP/2's header compression scheme, defined in RFC 7541: each side keeps a small "dynamic table" of recent headers, and a 1-byte index can refer to any of them. Cory Benfield's 2016 "HPACK Bomb" (CVE-2016-6581) abused that by stuffing one fat header into the table and then referring to it thousands of times, blowing up server memory. Servers responded by capping the total decoded header size.

Calif's bomb flips that around. It seeds the table with a near-empty header, then emits thousands of single-byte references to it. The decoded payload stays small, so the size limit never fires, but each reference triggers a fresh per-entry allocation in the server's bookkeeping. One byte on the wire turns into anywhere from 70 to 4,000 bytes in RAM, depending on the server.

Then comes the hold. HTTP/2 lets the receiver advertise a flow-control window, telling the sender how many response bytes it can ship. The exploit advertises a zero-byte window so the server can never finish replying, then drips 1-byte WINDOW_UPDATE frames every few seconds to keep the connection from timing out. Every byte the bomb allocated stays pinned.

Apache httpd and Envoy got an extra amplifier from cookies. RFC 9113 §8.2.3 lets a client split a Cookie header into one field per "crumb" (one name/value pair), and neither server counted those crumbs against its header-field limit. Envoy buffers each crumb; Apache rebuilds the full merged cookie on every crumb and leaves every prior copy live until the stream closes. Measured amplification ratios: ~5,700:1 on Envoy 1.37.2, ~4,000:1 on Apache httpd 2.4.67, ~70:1 on nginx 1.29.7, ~68:1 on IIS atop Windows Server 2025.

Single Envoy server terminal showing its memory and process count climbing under HTTP/2 Bomb attack.
Source: Calif

Why it matters

Codex didn't invent either half. It read the source for all four targets, recognized that the two techniques composed, and wrote the working chain. The Calif author, Thai Duong, helped break HTTP header compression in 2012 with the CRIME attack and was asked to review HPACK as the fix. In his postscript on the disclosure he says he reread his old review notes and never once considered this bomb.

That's the real story under the buzz: two public CVE families, sitting on top of each other in a spec that warns about both, that nobody composed for fourteen years until an AI agent did. Calif notes that once the nginx and Apache fix commits went public, any capable model could reconstruct the exploit from the diffs, which is how the team confirmed IIS, Envoy, and Pingora were vulnerable too.

Patching is uneven. nginx shipped a max_headers directive (default cap: 1,000) in 1.29.8 back in April. Apache fixed it the same day Calif disclosed on May 27 with a same-day commit by Stefan Eissing, assigned CVE-2026-49975; the patch is in mod_http2 v2.0.41 but not yet in a 2.4.x release. Envoy started rolling out fixes on June 3 with validation ongoing. Microsoft IIS and Cloudflare Pingora have no patch at the time of writing; Calif's guidance for those is to turn HTTP/2 off or front the server with something that enforces a hard per-request header count.

What to watch

The next signals are concrete. Envoy's fix needs to clear validation and land in a tagged release. Microsoft and Cloudflare both have to respond publicly: Pingora terminates traffic for a meaningful slice of the open web, and even a 70:1 amplifier hurts at that scale. Quang Luong, who drove the discovery, is scheduled to present the techniques at Stanford's Real World AI Security conference later this month, which should clarify how Codex was prompted and how reproducible the workflow is. The more interesting test is whether the next disclosure of this shape, found by the same kind of cross-codebase agent review, lands inside weeks or months.


Sources

kaleido.news — global tech, without language barriers.