HTTP/2 was introduced in 2015 to increase the speed of HTTP by allowing multiple simultaneous connections, and is gradually being superceded by HTTP/3, which is built on the new QUIC encrypted transport protocol. The problem uncovered by Calif lies in how affected servers handle HTTP/2 header compression and request processing, allowing an attacker to trigger disproportionate memory consumption.
“The attack chained two techniques known to humans for a decade: a compression bomb and a Slowloris-style hold,” Calif CEO Thai Duong said in a blog post, calling the technique HTTP/2 Bomb. A search of Shodan revealed 880,000+ websites supporting HTTP/2 and running one of these servers, although many of these websites use a Content Delivery Network (CDN), which may add some complexity to the attack, he said.
Weaponizing a compression feature for DoS
The issue, tracked as CVE-2026-49975, involves HPACK, the header compression mechanism built into HTTP/2. Calif found that attackers can abuse the protocol’s dynamic header table in a way that forces servers to repeatedly allocate memory far beyond what would normally be expected from the size of incoming requests.
A relatively small amount of attacker-controlled traffic can trigger excessive memory allocations on the target server, Duong said.
