HTTP/2 Bomb exploit can knock major web servers offline.

HTTP/2 Bomb exploit can knock major web servers offline.
Security researchers disclosed “HTTP/2 Bomb,” a denial-of-service attack chain that combines HTTP/2 header compression abuse with Slowloris-style memory exhaustion. SecurityWeek reports that default configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora may be affected, with more than 880,000 HTTP/2-enabled websites potentially exposed. Some fixes are already available, but not all vendors had patched at the time of publication.