Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <6e9eb782-2ebd-4ee7-84f5-92765d3d494a@oracle.com>
Date: Thu, 4 Jun 2026 16:34:04 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: HTTP/2 Bomb affects Apache httpd, nginx, envoy, &
 pingora

On 6/2/26 19:36, Alan Coopersmith wrote:
> https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb says:
>> The fix commits above are public and disclose the vectors directly; any
>> capable AI model can turn those diffs into a working exploit, which is exactly
>> how we found that Microsoft IIS, Envoy, and Pingora are also vulnerable.
>> We've notified their maintainers. Given how short the commit-to-exploit path
>> now is, we're releasing this writeup to provide users with the mitigations below.

Additional patches have since been released by envoy & h2o.
Posts on twitter by @calif_io continue to discuss whether other
packages are vulnerable or not.

https://github.com/envoyproxy/envoy/security/advisories/GHSA-22m2-hvr2-xqc8 says:
> HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
> 
> phlax published GHSA-22m2-hvr2-xqc8 Jun 3, 2026
> 
> Package:           github.com/envoyproxy/envoy
> Affected versions: <1.39
> Patched versions:  1.35.11 1.36.7 1.37.3 1.38.1
> 
> Summary
> -------
> 
> A vulnerability in Envoy's HTTP/2 downstream request processing allows an
> unauthenticated remote client to trigger excessive memory consumption,
> potentially resulting in OOM termination of the Envoy process and denial
> of service.
> 
> The issue arises from the combination of two behaviors:
> 
>  1. Cookie header bytes are not fully accounted for during request header size
>     validation in Envoy.
>  2. HPACK header block limits in oghttp2/quiche are enforced on encoded bytes
>     without a corresponding limit on total decoded header size.
> 
> Together, these behaviors allow a malicious client to cause large decoded header
> allocations while bypassing the intended request header size protections.
> 
> Affected Components
> -------------------
> 
>   * Envoy HTTP/2 downstream request processing
>   * Cookie header size accounting during header validation
>   * HPACK header block size enforcement in oghttp2/quiche
> 
> Details
> -------
> 
> During HTTP/2 request processing, cookie header fragments are buffered
> separately and merged only after request header size validation has completed.
> Because these buffered cookie bytes are not fully included in the effective
> header size check, oversized cookie data can bypass max_request_headers_kb
> enforcement.
> 
> Separately, oghttp2/quiche enforces header block limits on encoded HPACK bytes
> rather than on the fully decoded header size. A malicious client can exploit
> this asymmetry by using dynamic table references to keep the encoded
> representation relatively small while causing the decoded cookie header value
> to become much larger in memory.
> 
> When these behaviors are combined, a client can force Envoy to retain large
> per-stream allocations. Under sustained concurrency, this can rapidly increase
> process memory usage and lead to OOM termination.
> 
> Flow-control stalling can further increase the effectiveness of the attack by
> prolonging stream lifetime and delaying reclamation of per-stream memory.
> 
> Impact
> ------
> 
> An unauthenticated remote attacker can cause denial of service by exhausting
> memory in the Envoy process.
> 
> In testing against envoyproxy/envoy-google-vrp-dev:latest (v1.36.0-dev), the
> Envoy edge process was OOM-killed under a 3 GiB memory limit within a few
> seconds using a limited number of HTTP/2 connections and streams.
> 
> Additional testing showed that the attack remained effective with significantly
> fewer connections and streams than initially required, indicating that
> exploitation can be efficient even under tighter attacker-side resource
> constraints.
> 
> A secondary operational effect observed during testing was that oversized
> decoded cookies forwarded upstream could exceed the upstream service's own
> header limits, potentially causing upstream HTTP/2 connection resets and
> transient request failures.
> 
> Attack Vector
> -------------
> 
> A malicious downstream HTTP/2 client sends specially crafted cookie headers
> that combine:
> 
>   * incomplete cookie-size accounting during request validation; and
>   * HPACK decoded-size amplification via small encoded representations.
> 
> The impact can be amplified further by using HTTP/2 flow-control behavior
> to extend stream lifetime and delay memory reclamation.
> 
> Patches
> -------
> 
> A complete fix requires addressing both contributing issues:
> 
>   * include buffered cookie bytes in request header size accounting before
>     request acceptance; and
>   * enforce limits on decoded header size, not only on encoded HPACK block size.
> 
> Fixing only one side may reduce exploitability but does not fully address the
> underlying issue.
> 
> Workarounds
> -----------
> 
> No complete workaround is known short of applying a fix.
> 
> Possible temporary mitigations include:
> 
>   * disabling downstream HTTP/2 where operationally feasible;
>   * enforcing stricter request header and cookie limits before traffic
>     reaches Envoy; and
>   * monitoring Envoy memory usage for abnormal growth under HTTP/2 traffic.
> 
> Detection
> ---------
> 
> Potential indicators of exploitation include:
> 
>   * rapid or sustained abnormal memory growth in the Envoy process;
>   * OOM termination, including exit status 137 in containerized environments; and
>   * unusual HTTP/2 traffic patterns involving repeated indexed cookie references.
> 
> Credits
> -------
> Credit: Ryoga Yamashita.
> 
> Severity: High, 7.5 / 10
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> CVE ID: CVE-2026-47774


https://github.com/h2o/h2o/security/advisories/GHSA-qcrr-wrhc-pgq9 says:
> HTTP/2 state amplification
> 
> kazuho published GHSA-qcrr-wrhc-pgq9 Jun 3, 2026
> 
> Package:           h2o
> Affected versions: commits up to 8dc37cb
> Patched versions:  9265bdd and above
> 
> Impact
> ------
> 
> Recently, an attack against HTTP/2 servers was published that combines state
> amplification caused by HPACK decompression with Slowloris-style stream stalling:
> https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb.
> 
> H2O reduces HPACK state amplification by representing HTTP header names and
> values internally as references where possible. However, in light of this
> attack, additional limits may be needed, depending on the configuration, to
> bound decoded header state and prevent amplified state from being retained
> by stalled HTTP/2 streams.
> 
> Patches
> -------
> Mitigations were added in #3597 and landed on master as 9265bdd:
> https://github.com/h2o/h2o/pull/3597
> https://github.com/h2o/h2o/commit/9265bdd9a996ed992681055e3996baf3e09d2063
> 
> References
> ----------
> https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
> 
> Severity: High, 7.5 / 10
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> CVE ID: No known CVE

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.