You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
http2 security
About this tag
The http2 security tag on WindowsForum covers denial-of-service threats and vulnerabilities in HTTP/2 implementations, with a focus on Microsoft IIS and Go-based servers. Recent discussions include the HTTP/2 Bomb, an AI-assisted memory exhaustion attack affecting IIS, nginx, Apache, and other major web servers, highlighting that HTTP/2 deployments remain a risk despite years of production use. Another thread covers a nil-pointer crash vulnerability in Go's x/net HTTP/2 library triggered by specific frame types, causing server crashes. These threads emphasize that HTTP/2 security is not a solved problem and requires ongoing attention from administrators and developers to mitigate DoS risks.
On June 3, 2026, researchers at Calif disclosed “HTTP/2 Bomb,” a denial-of-service technique reportedly found with OpenAI Codex that can exhaust memory on default HTTP/2 deployments of nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. The uncomfortable lesson is not that AI...
A newly disclosed vulnerability in the golang.org/x/net HTTP/2 implementation can be triggered by sending a narrow range of HTTP/2 frame types (0x0a–0x0f), causing a nil-pointer panic that crashes servers using affected module versions — a denial-of-service vector that is easy to trigger from...