The HTTP/2 CONTINUATION flood, dubbed HTTP/2 Bomb, reveals a systemic flaw in how servers handle HPACK header compression and flow-control windows, allowing a single low-bandwidth client to pin tens of gigabytes of memory across NGINX, Apache, IIS, Envoy, and Cloudflare Pingora. Unlike classic HPACK bombs that relied on table amplification, this variant exploits per-entry bookkeeping for nearly empty headers, bypassing decoded-size limits while Slowloris-style zero-byte windows prevent release. The pattern mirrors 2016-era flaws (CVE-2016-6581, CVE-2016-8740) yet persists because the HTTP/2 specification frames memory risk solely as an amplification ratio, ignoring hold-time economics. Critical infrastructure operators face asymmetric exposure: a 100 Mbps residential link can saturate enterprise servers in seconds, enabling state or proxy actors to degrade availability without triggering volumetric alerts. Patches remain uneven, with Microsoft, Envoy, and Pingora still unaddressed, underscoring accumulated web-security debt from rushed protocol adoption. This incident connects to broader patterns of protocol-level weaknesses that adversaries routinely chain with supply-chain or edge-device compromises.