Four high-profile vulnerabilities in the HTTP/2 protocol have been discovered in just four months. The vulnerabilities allow attackers to slow web servers by flooding them with innocent looking messages that carry a payload of gigabytes of data, putting the servers into infinite loops and even causing them to crash. All four vulnerabilities have already been fixed in the protocol, which is used by some 85, or around 9 percent of websites, on the Internet, according to Imperva. Researchers took an in-depth look at Apache, Microsoft, NGINX, Jetty, and nghttp2.
Source: https://thehackernews.com/2016/08/http2-protocol-security.html