New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare — Security researchers at Calif have disclosed a novel denial-of-service technique, dubbed the HTTP/2 Bomb, that weaponizes two well-known mechanisms — HPACK header compression and Slowloris-style connection holding — in a previously unseen combination. Rather than stuffing large values into the compression table, the attack floods servers with nearly empty headers that each trigger expensive per-entry bookkeeping allocations, then uses a zero-byte flow-control window to prevent the server from ever freeing that memory. The result: a single home machine on a 100 Mbps connection can exhaust 32 GB of server RAM in about 20 seconds against Apache HTTPD or Envoy. NGINX fixed the issue in version 1.29.8 with a new max_headers directive; Apache addressed it in mod_http2 v2.0.41; Microsoft IIS and Envoy have no patch yet at time of writing.
Gemini Voice Assistant Hijacked via Messaging Notifications — SafeBreach researchers disclosed a prompt-injection attack class they call Fake Context Alignment, which exploited Google’s Gemini voice assistant by embedding malicious instructions inside ordinary messaging notifications from apps like WhatsApp, Slack, and SMS. When Gemini read out those notifications in hands-free mode, it silently ingested hidden commands — sometimes encoded in foreign languages or tucked inside muted hyperlinks — that caused it to perform dangerous actions: controlling Google Home smart-home devices, initiating Zoom video calls, crafting deceptive replies that appeared to come from trusted contacts, and even poisoning the assistant’s long-term memory for persistent control. Google patched the vulnerability in November 2025 after SafeBreach disclosed it in August 2025; the researchers published full details this week to raise awareness of the broader prompt-injection risk as AI assistants gain deeper access to everyday devices and communications.
Cisco Warns Zero-Day Flaw in SD-WAN Is Being Exploited — Cisco disclosed an unpatched zero-day vulnerability in Catalyst SD-WAN Manager (CVE-2026-20245, CVSS 7.8) that is being actively exploited in limited attacks, with no patch yet available. The flaw allows a local authenticated attacker to escalate privileges to root through improper validation of user-supplied data; Cisco confirmed exploitation has been linked to threat actor UAT-8616. As a workaround, Cisco advised administrators to disable the SD-WAN Manager’s out-of-band management interfaces where possible, and to monitor for anomalous privilege escalation events while the company works on a fix. The disclosure comes just days after CISA flagged a separate Cisco SD-WAN issue, underscoring sustained attacker interest in the platform’s management plane.
UN Food Agency Investigates Breach Exposing Data of Gaza Aid Recipients — The World Food Programme said it is investigating a security incident in which “unauthorized parties” accessed its self-registration application used exclusively in Gaza, where Palestinians register for food and cash assistance. The breach, which occurred on May 14, exposed names, identification numbers, phone numbers, and neighborhood-level location data for approximately 600,000 Palestinian households — nearly all of the roughly 1.6 million people WFP serves in Gaza each month. WFP temporarily suspended the platform to contain the intrusion and strengthen security controls, though it has not publicly identified the attacker or confirmed whether any data was subsequently leaked. The incident highlights the particular risks facing humanitarian databases, whose contents can be weaponized to identify and target vulnerable civilian populations.
CISA: Hackers Now Exploit SolarWinds Serv-U Flaw to Crash Servers — CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog after confirming active exploitation of a high-severity denial-of-service flaw in SolarWinds Serv-U file transfer software. The vulnerability, rooted in uncontrolled resource consumption, allows unauthenticated remote attackers to crash Serv-U servers by sending specially crafted POST requests with a Content-Encoding: deflate header — no authentication or user interaction required. SolarWinds patched the flaw in Serv-U 15.5.4 Hotfix 1 and advised admins who cannot immediately patch to restrict access to known IP addresses and block POST requests containing “content-encoding.” Federal agencies have until June 19 to remediate under BOD 22-01; with Shodan tracking over 12,000 Serv-U servers exposed online, the attack surface for both government and private-sector targets remains significant.
