oss-sec mailing list archives
Re: HTTP/2 Bomb affects Apache httpd, nginx, envoy, & pingora
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Thu, 4 Jun 2026 16:34:04 -0700
On 6/2/26 19:36, Alan Coopersmith wrote:
https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb says:The fix commits above are public and disclose the vectors directly; any capable AI model can turn those diffs into a working exploit, which is exactly how we found that Microsoft IIS, Envoy, and Pingora are also vulnerable. We've notified their maintainers. Given how short the commit-to-exploit path now is, we're releasing this writeup to provide users with the mitigations below.
Additional patches have since been released by envoy & h2o. Posts on twitter by @calif_io continue to discuss whether other packages are vulnerable or not. https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8 says:
HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
phlax published GHSA-22m2-hvr2-xqc8 Jun 3, 2026
Package: github.com/envoyproxy/envoy
Affected versions: <1.39
Patched versions: 1.35.11 1.36.7 1.37.3 1.38.1
Summary
-------
A vulnerability in Envoy's HTTP/2 downstream request processing allows an
unauthenticated remote client to trigger excessive memory consumption,
potentially resulting in OOM termination of the Envoy process and denial
of service.
The issue arises from the combination of two behaviors:
1. Cookie header bytes are not fully accounted for during request header size
validation in Envoy.
2. HPACK header block limits in oghttp2/quiche are enforced on encoded bytes
without a corresponding limit on total decoded header size.
Together, these behaviors allow a malicious client to cause large decoded header
allocations while bypassing the intended request header size protections.
Affected Components
-------------------
* Envoy HTTP/2 downstream request processing
* Cookie header size accounting during header validation
* HPACK header block size enforcement in oghttp2/quiche
Details
-------
During HTTP/2 request processing, cookie header fragments are buffered
separately and merged only after request header size validation has completed.
Because these buffered cookie bytes are not fully included in the effective
header size check, oversized cookie data can bypass max_request_headers_kb
enforcement.
Separately, oghttp2/quiche enforces header block limits on encoded HPACK bytes
rather than on the fully decoded header size. A malicious client can exploit
this asymmetry by using dynamic table references to keep the encoded
representation relatively small while causing the decoded cookie header value
to become much larger in memory.
When these behaviors are combined, a client can force Envoy to retain large
per-stream allocations. Under sustained concurrency, this can rapidly increase
process memory usage and lead to OOM termination.
Flow-control stalling can further increase the effectiveness of the attack by
prolonging stream lifetime and delaying reclamation of per-stream memory.
Impact
------
An unauthenticated remote attacker can cause denial of service by exhausting
memory in the Envoy process.
In testing against envoyproxy/envoy-google-vrp-dev:latest (v1.36.0-dev), the
Envoy edge process was OOM-killed under a 3 GiB memory limit within a few
seconds using a limited number of HTTP/2 connections and streams.
Additional testing showed that the attack remained effective with significantly
fewer connections and streams than initially required, indicating that
exploitation can be efficient even under tighter attacker-side resource
constraints.
A secondary operational effect observed during testing was that oversized
decoded cookies forwarded upstream could exceed the upstream service's own
header limits, potentially causing upstream HTTP/2 connection resets and
transient request failures.
Attack Vector
-------------
A malicious downstream HTTP/2 client sends specially crafted cookie headers
that combine:
* incomplete cookie-size accounting during request validation; and
* HPACK decoded-size amplification via small encoded representations.
The impact can be amplified further by using HTTP/2 flow-control behavior
to extend stream lifetime and delay memory reclamation.
Patches
-------
A complete fix requires addressing both contributing issues:
* include buffered cookie bytes in request header size accounting before
request acceptance; and
* enforce limits on decoded header size, not only on encoded HPACK block size.
Fixing only one side may reduce exploitability but does not fully address the
underlying issue.
Workarounds
-----------
No complete workaround is known short of applying a fix.
Possible temporary mitigations include:
* disabling downstream HTTP/2 where operationally feasible;
* enforcing stricter request header and cookie limits before traffic
reaches Envoy; and
* monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
Detection
---------
Potential indicators of exploitation include:
* rapid or sustained abnormal memory growth in the Envoy process;
* OOM termination, including exit status 137 in containerized environments; and
* unusual HTTP/2 traffic patterns involving repeated indexed cookie references.
Credits
-------
Credit: Ryoga Yamashita.
Severity: High, 7.5 / 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-47774
https://github.com/h2o/h2o/security/advisories/GHSA-qcrr-wrhc-pgq9 says:
HTTP/2 state amplification kazuho published GHSA-qcrr-wrhc-pgq9 Jun 3, 2026 Package: h2o Affected versions: commits up to 8dc37cb Patched versions: 9265bdd and above Impact ------ Recently, an attack against HTTP/2 servers was published that combines state amplification caused by HPACK decompression with Slowloris-style stream stalling: https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb. H2O reduces HPACK state amplification by representing HTTP header names and values internally as references where possible. However, in light of this attack, additional limits may be needed, depending on the configuration, to bound decoded header state and prevent amplified state from being retained by stalled HTTP/2 streams. Patches ------- Mitigations were added in #3597 and landed on master as 9265bdd: https://github.com/h2o/h2o/pull/3597 https://github.com/h2o/h2o/commit/9265bdd9a996ed992681055e3996baf3e09d2063 References ---------- https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb Severity: High, 7.5 / 10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID: No known CVE
--
-Alan Coopersmith- alan.coopersmith () oracle com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- HTTP/2 Bomb affects Apache httpd, nginx, envoy, & pingora Alan Coopersmith (Jun 02)
- Re: HTTP/2 Bomb affects Apache httpd, nginx, envoy, & pingora Alan Coopersmith (Jun 04)
