Codex Discovered a Hidden HTTP/2 Bomb

Vulnerability Disclosure, Security Research(blog.calif.io)view on HackerNews

HTTP/2HPACKSlowlorisdenial-of-servicevulnerabilityexploitweb serverssecurity research

Author: Yenrabbit

Date: 6/2/2026

Article Summary:

A remote denial-of-service exploit against major web servers, including nginx, Apache httpd, Microsoft IIS, and Envoy, has been discovered, leveraging a combination of HPACK header compression and Slowloris-style hold to consume server memory.