Envoy

vulnerabilities 2026-06-03
HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare
A new HPACK-plus-flow-control DoS lets a home broadband connection hold 32GB of server memory in ~20 seconds. Affects the default HTTP/2 config of every major web server and proxy. NGINX and Apache have fixes; IIS, Envoy and Cloudflare Pingora do not yet.
http2 nginx apache envoy cloudflare iis denial-of-service hpack web-server infrastructure

HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare