A new HTTP/2 denial-of-service technique, called HTTP/2 Bomb, was publicly described by Calif on June 2, 2026. The attack abuses a combination of HTTP/2 header compression behavior and stalled response flow control to make a server allocate and hold a large amount of memory from a very small amount of network traffic. According to the research, the issue affects several major HTTP/2 implementations, including Apache httpd, nginx, Microsoft IIS, Envoy, and Cloudflare Pingora.
For Apache httpd, the vulnerable component is mod_http2. The researchers reported that Apache httpd could reach very high memory amplification under this attack pattern, because repeated HTTP/2 cookie header fragments were not counted correctly against request header limits. The public mitigation note says that the Apache-side fix is available in mod_http2 2.0.41 and later, while it was not yet part of an Apache httpd 2.4.x release at the time of publication.
The important practical detail is that you do not need to wait for a full Apache httpd package update if your distribution provides mod_http2 as a separate package. In the CodeIT repository, the update is already available separately from the main httpd package. The fix was included by the upstream mod_http2 authors in 2.0.41, and the CodeIT repository already provides the newer mod_http2 2.0.42 package. GitHub release notes for mod_http2 confirm that 2.0.41 fixed cookie header accounting against LimitRequestFields, while 2.0.42 is the latest following release.
What should administrators do?
If you use Apache httpd with HTTP/2 enabled on RHEL, AlmaLinux, Rocky Linux, Oracle Linux, CentOS, or compatible Enterprise Linux systems, update the mod_http2 package from the CodeIT repository:
dnf update mod_http2or on older systems:
yum update mod_http2Then reload or restart Apache httpd:
systemctl restart httpdYou can verify the installed package version with:
rpm -q mod_http2The expected safe version in the CodeIT repository is 2.0.42 or newer.
Temporary mitigation
If you cannot update immediately, the safest temporary mitigation is to disable HTTP/2 and serve traffic over HTTP/1.1 only. For Apache httpd this can be done by removing h2 from the Protocols directive, for example:
Protocols http/1.1However, disabling HTTP/2 is only a workaround. The recommended solution is to update mod_http2.
CodeIT repository status
CodeIT packages are built for Enterprise Linux systems that need modern web server components while keeping a stable operating system base. The HTTP/2 Bomb fix is already available in the CodeIT repository through mod_http2 2.0.42, independently from the main Apache httpd package. This allows administrators to patch the HTTP/2 module quickly without waiting for the next full httpd release cycle.