http/2 bomb vulnerability

The HTTP/2 Bomb: How a Zero-Byte Window Melts NGINX, Apache, and Envoy

Protect your web servers from the HTTP/2 Bomb vulnerability. Learn how a chained HPACK and Slowloris attack consumes 32GB of RAM and how to mitigate it.

William OGOU • Jun 4, 2026 • 8 min read

http/2 bomb vulnerability

The HTTP/2 Bomb: How a Zero-Byte Window Melts NGINX, Apache, and Envoy

Your Privacy Matters