HTTP/2 Bomb 漏洞
针对 HTTP/2 服务器的远程拒绝服务攻击,结合了 HPACK 索引引用炸弹和流量控制窗口阻塞。网络传输的一个字节会在服务器上占用一个完整的头部空间,每个请求重复数千次,而零字节的 INITIAL_WINDOW_SIZE 则阻止服务器释放任何占用的空间。
目前 nginx 和 Apache 已修复该漏洞,记得更新;其余暂未修复。

Related Links
https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
https://github.com/califio/publications/tree/main/MADBugs/http2-bomb
blog.calif.io
Codex Discovered a Hidden HTTP/2 Bomb
Codex Discovered a Hidden HTTP/2 Bomb
14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP/2. Life has come full circle: today we're releasing an attack I missed.
 
 
Back to Top