An HTTP/2 vulnerability dubbed 'HTTP/2 Bomb' affects Cloudflare and other server platforms including NGINX, Apache, IIS, and Envoy. The flaw exploits HPACK header compression and HTTP/2 flow control mechanisms, allowing a single client to consume up to 32GB of server memory in approximately 20 seconds, causing denial-of-service conditions and server outages.
Cloudflare disclosed results from Project Glasswing, an internal exercise in which its security team ran Anthropic's unreleased Claude Mythos Preview model against more than fifty of its production repositories, including runtimes, edge data paths and protocol stacks. The reported findings include 595 crashes and ten documented working control-flow hijacks, with the model chaining low-severity primitives into functional exploit chains and surfacing memory-safety and command-injection issues in Cloudflare code. Anthropic rated Mythos at or near its ASL-3 cyber-capability threshold and is keeping the model under restricted release. Cloudflare's CISO framed the exercise as evidence that AI-assisted vulnerability discovery is now operationally relevant against critical infrastructure code, and warned that the same capabilities will be available to attackers. No active exploitation has been reported, and Cloudflare has not published specific CVEs tied to the findings.
Cloudflare published a response detailing how it assessed and mitigated the 'Copy Fail' Linux kernel local privilege escalation vulnerability (CVE-2026-31431), publicly disclosed on April 29, 2026. Cloudflare's Security and Engineering teams reviewed the exploit technique, evaluated exposure across its infrastructure, and validated that existing behavioral detections could identify the exploit pattern. The post describes mitigations applied to protect Cloudflare's fleet from local privilege escalation via the kernel flaw. No active exploitation against Cloudflare was reported, and the issue is a kernel-level LPE rather than a remote-facing service vulnerability. Other items in the source set concern unrelated vendors (Ivanti EPMM, Palo Alto PAN-OS) and are not relevant to Cloudflare.