top of page

The Security Brief


HTTP/2 Bomb: One Client Can Exhaust a Web Server's Memory in Seconds
A single laptop on home broadband can now take a web server offline if it runs NGINX, Apache, IIS, Envoy or Cloudflare Pingora. The technique, disclosed on 2 June and named HTTP/2 Bomb, needs no botnet and no credentials. It abuses how these servers handle HTTP/2 by default, and roughly 880,000 public-facing servers were exposed when the research went live. What Happened Researchers at Calif published the exploit after it was found by OpenAI's Codex, which combined two attack
Jun 53 min read


NGINX Rift: An 18-Year-Old Web Server Flaw Now Has a Working RCE Exploit
nginx runs in front of a large share of the world's websites and applications, which is exactly why a flaw that sat untouched inside it for 18 years deserves attention this week. CVE-2026-42945, now named NGINX Rift, began life as a heap overflow that could crash a worker process. A public proof-of-concept has since turned it into unauthenticated remote code execution triggered by a single HTTP request. What Happened Researchers at depthfirst found a heap buffer overflow in..
May 303 min read


Attackers Are Exploiting Microsoft Defender Flaws to Gain SYSTEM Privileges
Two vulnerabilities in Microsoft Defender — the antivirus software running on nearly every Windows endpoint — are being actively exploited in the wild. Microsoft confirmed the flaws on 19 May, and CISA added both to its Known Exploited Vulnerabilities catalogue the following day, setting a 3 June deadline for US federal agencies to patch or drop the product entirely. If your organisation runs Windows, this one demands your attention. What Happened CVE-2026-41091 (CVSS 7.8) is
May 233 min read
bottom of page