Summary4 min read

Podcast Summary: Cybersecurity Today

Episode: New HTTP/2 Bomb Attack, Trump's AI Security Reviews, Android Zero-Day & The Patching Crisis

Host: Jim Love
Date: June 5, 2026

Episode Overview

This episode explores several pressing developments in the cybersecurity landscape: a powerful new HTTP/2 memory exhaustion attack (“HTTP/2 bomb”), a voluntary AI security review framework enacted by the Trump administration, the ongoing crisis in vulnerability patching within organizations, and recent advisories on both new and long-standing exploited vulnerabilities impacting Android and Linux. Host Jim Love provides in-depth context, expert analysis, and frames the key challenges confronting defenders today.

Key Discussion Points & Insights

1. The HTTP/2 Bomb Attack

[01:00 - 04:20]

Researchers have discovered a “HTTP/2 bomb,” a denial-of-service (DoS) attack exploiting memory allocation vulnerabilities in major web servers (Apache, nginx, Microsoft IIS, Envoy).
- Key Mechanism:
  - HPACK abuse: Forces server to allocate vastly more memory than actual network payload.
  - Flow control exploit: Prevents allocated memory from being released.
- Impact: “Researchers were able to consume and hold 32 gigabytes of memory on Apache and Envoy servers in roughly 20 seconds... IIS servers with 64 gigabytes of RAM were exhausted in about 45 seconds.” (Jim Love, 02:50)
- Novelty: Can be launched from a single computer with moderate bandwidth.
- Detection Challenge: Traditional DoS protections focusing on volume may miss this attack, since it abuses normal protocol behavior.
- AI’s Role: OpenAI’s Codex was credited for helping to combine existing attack ideas into this new exploit.
  - Quote: “It may be an early example of a trend researchers are watching closely—artificial intelligence not discovering new vulnerabilities but uncovering dangerous combinations of the existing ones that humans overlooked.” (Jim Love, 04:10)

2. Trump Administration’s Voluntary AI Security Review Framework

[04:24 - 07:10]

Executive Order: Establishes a voluntary framework for AI developers to submit models for security and national security reviews up to 30 days prior to public release.
- No licensing, permitting, or pre-approvals required.
- Key Agencies Involved: CISA, NSA, NIST.
Motivation: Balances U.S. competitiveness in AI with concerns over frontier model risks.
Core Questions:
- Why does the government want early access? Given AI’s emerging ability to identify software vulnerabilities and potentially accelerate both defense and offense.
- Quote: “Visibility and control are not the same thing... The government is signaling concern about the cybersecurity implications of frontier AI while stopping well short of imposing any meaningful oversight.” (Jim Love, 06:30)
Unanswered Issues: Can voluntary review suffice as AI capabilities advance rapidly? The episode questions whether this approach will keep pace with evolving threats.

3. The Patching Crisis in the Cybersecurity Industry

[07:15 - 10:13]

Cloud Security Alliance Report:
- Finding: 89% of organizations suffered incidents linked to unpatched vulnerabilities in the past year.
- Reality: “Many security teams are no longer deciding how quickly to patch—they’re deciding what not to patch.” (Jim Love, 08:55)
- Causes: Explosion in tech stack complexity (cloud, containers, SaaS, remote endpoints, APIs, third-party apps) leads to more vulnerabilities than teams can handle.
- Core Bottleneck: “The bottleneck is no longer discovery, it’s remediation.” (Jim Love, 09:30)
- Organizations must prioritize and accept risk—the industry can’t keep up with “patch everything” anymore.

4. CISA Advisory: New and Old Vulnerabilities Actively Exploited

[10:16 - 13:04]

CISA adds two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
- Android Vulnerability (CVE-2025-48595):
  - A privilege escalation bug patched in Google’s June security update.
  - Actively exploited, but updates reach users slowly due to the Android ecosystem’s fragmentation.
- Linux Vulnerability (CVE-2022-0492):
  - Known and patched for years, yet still actively exploited due to unpatched systems.
- Key Takeaway:
  - “Attackers don’t care how old a vulnerability is—they care whether it remains exploitable.” (Jim Love, 12:10)
  - Contrast: Android flaw shows speed at which attackers exploit new weaknesses; Linux flaw shows persistence in exploiting old, neglected issues.
  - Defender’s Lesson: Vulnerability age is not a relevant metric—if it's exploitable, it will be targeted regardless.

Notable Quotes & Memorable Moments

On AI’s role in security research:
- “Artificial intelligence...not discovering new vulnerabilities but uncovering dangerous combinations of the existing ones that humans overlooked.” (Jim Love, 04:10)
On the patching challenge:
- “Many security teams are no longer deciding how quickly to patch—they’re deciding what not to patch.” (Jim Love, 08:55)
- “There may no longer be enough time, money, or people to fix everything, forcing organizations to become much better at deciding which risks matter most.” (Jim Love, 09:44)
On attackers’ mindset:
- “Attackers don’t care how old a vulnerability is—they care whether it remains exploitable.” (Jim Love, 12:10)

Timestamps for Key Segments

HTTP/2 Bomb Attack — [01:00 - 04:20]
AI Security Reviews (Trump Administration Executive Order) — [04:24 - 07:10]
The Patching Crisis — [07:15 - 10:13]
CISA’s Vulnerabilities Advisory (Android & Linux) — [10:16 - 13:04]

Conclusion

Jim Love delivers a tightly focused overview of how threat actors and the cybersecurity community are in a constant arms race—whether it’s novel technical exploits like the HTTP/2 bomb, the increasingly complex and urgent challenges of vulnerability management and patching, or the evolving (but still ambiguous) role for both government and AI in securing tomorrow’s digital landscape. The episode closes with a stark lesson: cyber threats evolve, but the fundamentals of patching and risk prioritization are more important—and more overloaded—than ever.

Loading summary

Transcript1 lines

[00:00]
A
Cybersecurity Today we'd like to thank Material Security for supporting the podcast. Material Security provides faster, more complete detection and responses for email identity and data threats inside Google Workspace and Microsoft 365. Contact them at Material Security. An HTTP 2 bomb can crash Web servers in seconds Trump creates a voluntary AI security review as government seeks visibility into frontier models. The cybersecurity industry's patch strategy may be breaking down, and a CISA warning shows attackers don't care whether a vulnerability is new or old. This is Cybersecurity today. I'm your host, Jim Love. Researchers have discovered a new denial of service technique called HTTP 2 bomb that can exhaust a web server's memory and take it offline in less than a minute. The attack targets HTTP 2 implementations used by major web servers, including Apache, nginx, Microsoft's Internet Information Services, or IIS, and Envoy. What makes it unusual is that it doesn't require a botnet or a massive bandwidth. Researchers say a single computer on 100 megabit connection could knock vulnerable servers offline within seconds. The attack combines two older techniques. First, it abuses HTTP 2's HPACK compression system to force a server to allocate far more memory than the attacker actually sends across the network. Then it uses HTTP 2 flow control features to prevent that memory from being released. The result is a server that keeps consuming memory until it runs out quickly. In testing, researchers were able to consume and hold 32 gigabytes of memory on Apache and Envoy servers in roughly 20 seconds. IIS servers with 64 gigabytes of RAM were exhausted in about 45 seconds. The researchers describe it as a memory amplification attack. In some cases, every byte sent by the attacker triggered thousands of bytes of memory allocation on the target server. Because the attack exploits normal HTTP 2 behavior, traditional denial of service protections that focus on traffic volume may not detect it immediately. And there's another interesting twist to this story. The researchers say the attack chain was first identified with the assistance from OpenAI's Codex. The underlying techniques were already known, but the AI helped connect them into a practical exploit that had not previously been recognized. It may be an early example of a trend security researchers are watching closely artificial intelligence, not discovering new vulnerabilities but uncovering dangerous combinations of the existing ones that humans overlooked. The Trump administration has signed an executive order creating a voluntary framework for reviewing advanced artificial intelligence models before they're released to the public. Under the program, developers can provide frontier AI systems to government agencies for cybersecurity and national security assessments. Up to 30 days before launch. The order specifically states that participation is voluntary and does not create any licensing, permitting, or preapproval requirements for AI companies. So on the surface, the order appears to be a compromise between two competing goals. The administration wants to maintain American leadership in artificial intelligence while also acknowledging growing concerns about the security risks posed by increasingly powerful models. The Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the National Institute of State Standards and Technology will play roles in the review process. For cybersecurity professionals, the interesting question is why the government wants early access at all. Recent research has shown that advanced AI systems are becoming increasingly capable of identifying software vulnerabilities, analyzing code, and accelerating security research. Those same capabilities could potentially be used to accelerate cyber attacks, discover previously unknown flaws, or support nation operations. Those abilities may have already arrived with mythos, with Microsoft's M Dash and OpenAI's 5.6model. But the executive order suggests that Washington wants greater visibility into those capabilities before they reach the public. The challenge is that visibility and control are not the same thing. The government is signaling concern about the cybersecurity implications of frontier AI while stopping well short of imposing any meaningful oversight. In effect, it's asking companies to voluntarily share information about technologies that could have national security implications. But whether that approach proves sufficient as AI capabilities continue to advance remains an open question. A new report from the Cloud Security alliance suggests that organizations are struggling with a problem that has been quietly growing for years. There are simply too many vulnerabilities to patch. The report has found that 89% of organizations experienced a security incident linked to an unpatched vulnerability over the past year, while more than half said they cannot keep up with the number of vulnerabilities requiring attention. For decades, the advice from security professionals was patch your systems as quickly as possible. But today's environments are very different from the data centers of 20 years ago. Organizations now manage cloud services, containers, software as a service, platforms, remote endpoints, APIs, and a growing number of third party applications. Every one of those technologies generates its own stream of vulnerabilities and updates. And the result is that many security teams are no longer deciding how quickly to patch they're deciding what not to patch. According to the report, limited staff resource constraints and incomplete visibility into assets are making it increasingly difficult to keep pace in practice. Many organizations are forced to prioritize a small subset of vulnerabilities while accepting risk elsewhere. That may be the most important takeaway from the report. The cybersecurity industry's tools for finding vulnerabilities continue to improve. Artificial intelligence, automated scanners and threat intelligence platforms can identify weaknesses faster than ever before. But the bottleneck is no longer discovery, it's remediation. Security teams are increasingly confronted with a reality that few want to admit There may no longer be enough time, money or people to fix everything, forcing organizations to become much better at deciding which risks matter most. The US Cybersecurity and infrastructure security agencies CISA has added two vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming they're being actively used in Lynx. One affects Android devices and was patched by Google this month. The other affects Linux systems and has been known for years. Together, they illustrate an important reality about modern cyber attacks. Attackers don't care how old a vulnerability is, they care whether it remains exploitable. The Android Vulnerability tracked as CVE2025 48595 is a privilege the Android the Android Vulnerability tracked as CVE2025 48595 is a privilege escalation flawed in Android's framework component that Google addressed in its June security update, CISA says it's being actively exploited in the wild. And while Google has released a fix, Android updates move through device manufacturers and carriers before reaching users, meaning patch availability can vary across the ecosystem. The second vulnerability, CVE2022 0492, affects Linux systems and was originally disclosed several years ago. Despite the availability of patches, it's still being exploited successfully enough to Warrant Inclusion in CISA's catalog of known Exploited vulnerabilities. Taken together, the two flaws highlight opposite ends of the same problem. One shows how quickly attackers move against newly discovered weaknesses, and the other shows how long they're willing to keep exploiting older ones. For defenders, the lesson is vulnerability age is often irrelevant. Whether a flaw was disclosed last month or several years ago, attackers will continue to use it as long as vulnerable systems remain available. And that's our show. If you like what we're doing, please share the show with others. Give us a like or a comment on your favorite podcast, app or site. We're found everywhere. Apple, podcasts, Spotify, YouTube, and more. We love to hear from you. You can reach us at technewsday CA or technewsday.com just go to the Contact Us page and drop us a note. And if you're watching this on YouTube, leave a comment under the video. Your feedback is always appreciated. We read every comment. We try to respond to everyone. I'm your host Jim Love. I hope you can join us this weekend for our month in review show with our panel. David Shipley will be back with the news on Monday morning. I'm your host, Jim Love. Thanks for listening. Here's a question worth asking. What happens after a phishing email slips past your filters? Most email security tools only guard the front door, but attackers are already inside. Material security is different. It's a unified detection and response platform, purpose built for Google Workspace and Microsoft 365, protecting email files and accounts all in one place. We're talking automated phishing, remediation, account takeover containment and sensitive data protection without alert fatigue. Find out why companies like Figma, Reddit, and Lyft trust material to stop the threats. Other tools Ms. See workspace security in action at Material Security. That's Material Security. And if you do contact them, take a second and say thanks for sponsoring cybersecurity today.