http2 security

About this tag
The http2 security tag on WindowsForum covers denial-of-service threats and vulnerabilities in HTTP/2 implementations, with a focus on Microsoft IIS and Go-based servers. Recent discussions include the HTTP/2 Bomb, an AI-assisted memory exhaustion attack affecting IIS, nginx, Apache, and other major web servers, highlighting that HTTP/2 deployments remain a risk despite years of production use. Another thread covers a nil-pointer crash vulnerability in Go's x/net HTTP/2 library triggered by specific frame types, causing server crashes. These threads emphasize that HTTP/2 security is not a solved problem and requires ongoing attention from administrators and developers to mitigate DoS risks.
  1. HTTP/2 Bomb DoS: AI-Assisted Memory Exhaustion Threat to IIS and Major Web Servers

    On June 3, 2026, researchers at Calif disclosed “HTTP/2 Bomb,” a denial-of-service technique reportedly found with OpenAI Codex that can exhaust memory on default HTTP/2 deployments of nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. The uncomfortable lesson is not that AI...
  2. Go HTTP/2 x/net vulnerability: nil pointer crash from 0x0a–0x0f frames

    A newly disclosed vulnerability in the golang.org/x/net HTTP/2 implementation can be triggered by sending a narrow range of HTTP/2 frame types (0x0a–0x0f), causing a nil-pointer panic that crashes servers using affected module versions — a denial-of-service vector that is easy to trigger from...