Four security vulnerabilities found in HTTP/2
They are:
• Slow Read : similar in principle to the Slow Loris DoS attack
• HPACK Bomb : compression layer attack that turns small, seemingly innocuous messages (zip files) into gigabytes of data, which can also used to DoS a service.
• Dependency Cycle attack : abuses the HTTP/2 flow control mechanism to force a server into an infinite loop.
• Stream multiplexing abuse : uses flaws in the way servers implement stream multiplexing; can also be used for DoS attacks
More here:
▻http://www.techweekeurope.co.uk/security/cyberwar/http2-flaws-security-black-hat-196012
The extensive technical analysis by those from Imperva who found it: