OpenAI's Codex helped find an HTTP/2 bomb that crashes servers in seconds

A coding agent, not a human, helped uncover a denial-of-service attack that can knock vulnerable web servers offline in seconds. That is the headline from Calif researcher Quang Luong, who says OpenAI's Codex agent helped him find an exploit he named HTTP/2 Bomb. The attack can be launched from a single machine and works against default HTTP/2 configurations on major servers including nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.

The practical risk is not abstract. Luong says a home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, he says a single client can consume and hold 32GB of server memory in roughly 20 seconds. Calif warns that upwards of 880,000 websites supporting HTTP/2 and running one of the vulnerable web servers may be affected, which turns this from a niche lab curiosity into an operations problem for anyone running web infrastructure at scale.

The mechanics are almost annoyingly simple, which is part of the problem. Luong says Codex chained two existing denial-of-service techniques that have been known for more than a decade: HPACK compression bomb and Slowloris-style hold. An HPACK bomb, also known as CVE-2016-6581, abuses the HTTP/2 header compression algorithm by sending thousands of tiny messages that force the server to rapidly allocate memory until it crashes. The Slowloris approach, tied here to CVE-2016-8740 and CVE-2016-1546, opens legitimate connections and keeps them alive as long as possible. Put together, the two techniques exhaust memory and force the server offline. In other words, the new attack is not a brand-new primitive. It is a new and effective combination of old ones.

That combination is what makes the AI angle matter. In a Tuesday blog, Luong wrote that both halves have been public for a decade, but Codex read the codebases, recognized that they compose, and built the combined attack. He added that, as far as Calif can tell, no human had put the pieces together against these servers. Calif is planning to present the full technical details later this month at the Real World AI Security conference, and in the meantime proof-of-concept exploit scripts are already on GitHub. The red-teaming shop's warning is blunt: “Please don't point these at infrastructure you don't own.”

The disclosure and patch timeline is a good reminder that these incidents move fast once public. Calif disclosed the issue to nginx in April, and the maintainers fixed it the next day in version 1.29.8, which imports the max_headers directive from freenginx. Apache issued a fix, mod_http2 v2.0.41, the same day Calif submitted its report, and assigned the issue CVE-2026-49975. As of Thursday, however, Microsoft IIS and Cloudflare Pingora still did not have a patch, according to the researchers. Cloudflare disputes that finding. A spokesperson told The Register, “Cloudflare's existing architecture and DDoS mitigations automatically detect and protect against this attack, making customers resilient to this vulnerability,” and added, “No patch is needed.” Microsoft said, “We are aware and actively investigating appropriate mitigations to help keep customers protected,” according to a spokesperson.

For operators, the dispute matters because the burden often falls on whoever runs the service, not just the vendor who shipped the code. Calif's researchers say the fixes that are already public disclose the vectors directly, and that any capable AI model can turn those diffs into a working exploit, which is exactly how they found that Microsoft IIS, Envoy, and Pingora are also vulnerable. Calif says all three have been notified. In a Wednesday update, the team pointed to Envoy patches “that appear to mitigate this attack,” while noting its researchers are still validating the fix to make sure it works. For Microsoft IIS and Cloudflare Pingora, the recommended mitigations are straightforward but not always painless: disable HTTP/2 if possible, or enforce a cap on the number of HTTP headers a client can send in a single request.

The strategic takeaway for executives is bigger than one exploit. AI-assisted security work is now capable of recombining old, public bugs into immediate live threats faster than many teams can react, which compresses the window between disclosure and exploitation. That shifts pressure onto engineering leaders, SRE teams, and boards that oversee cyber risk to know not just whether a patch exists, but whether their stack has default settings, exposed header handling, and enough memory headroom to survive a cheap, single-machine attack. If your business depends on web availability, the lesson is simple: old vulnerabilities are not really old if an agent can still stitch them together into a crash in seconds.