HTTP/2 Bomb — OpenAI Codex Chains Decade-Old DoS Into Web Server Crash

AI relevance: OpenAI's Codex coding agent autonomously chained two known HTTP/2 denial-of-service techniques into a novel attack — demonstrating how AI agents can accelerate vulnerability discovery and weaponize old bugs in ways that require rethinking web server hardening for AI-facing infrastructure.

Key findings

• Researcher Quang Luong (Calif) used OpenAI's Codex agent to chain an HPACK compression bomb (CVE-2016-6581) with a Slowloris-style connection hold into a combined exploit named "HTTP/2 Bomb."
• Against Apache httpd and Envoy, a single client on a 100 Mbps connection can consume and hold 32 GB of server memory in roughly 20 seconds.
• A home computer on a 100 Mbps connection can render a vulnerable server inaccessible within seconds.
• Shodan estimates roughly 880,000 websites running vulnerable HTTP/2 servers may be affected.
• nginx patched the issue within one day of disclosure (v1.29.8, importing the max_headers directive from freenginx).
• Apache issued mod_http2 v2.0.41 the same day as the report and assigned CVE-2026-49975.
• As of the latest reports, Microsoft IIS and Cloudflare Pingora remain unpatched — though Cloudflare says its DDoS mitigations already protect customers.
• The fix commits are public; the Calif team notes that "any capable AI model can turn those diffs into a working exploit" — which is exactly how they found IIS, Envoy, and Pingora were also vulnerable.
• Envoy has published patches that appear to mitigate the attack; validation is ongoing.
• Full technical details will be presented at the Real World AI Security conference at Stanford later this month.

Why it matters

This is a notable case of an AI coding agent not just assisting in security research, but autonomously chaining known techniques into a novel exploit — then using publicly available fix diffs to find the same vulnerability across additional vendors. The implication for AI-facing infrastructure is direct: AI model serving stacks (vLLM, Triton, API gateways) that expose HTTP/2 endpoints without header limits are vulnerable to the same attack. The discovery pipeline itself — agent finds exploit → agent reads patch → agent finds same pattern elsewhere — raises questions about how AI-assisted vulnerability research changes the timeline between disclosure and weaponization.

What to do

• Update nginx to 1.29.8+ and Apache mod_http2 to 2.0.41+.
• For Microsoft IIS and Cloudflare Pingora, disable HTTP/2 where possible or enforce a cap on the number of HTTP headers a client can send per request.
• Audit AI model serving infrastructure (vLLM, Triton Inference Server, API gateways) for HTTP/2 header limits.
• Monitor for Envoy patch validation updates.

Sources

• The Register — OpenAI's Codex Chains Decade-Old DoS Techniques Into HTTP/2 Bomb
• BleepingComputer — New 'HTTP/2 Bomb' DoS Attack Crashes Web Servers in Under a Minute
• Calif Blog — Codex Discovered a Hidden HTTP/2 Bomb
• Calif HTTP/2 Bomb PoC on GitHub
• Real World AI Security Conference (Stanford)