Microsoft has disclosed CVE-2026-49160, a high-severity Denial-of-Service (DoS) vulnerability affecting the Windows HTTP protocol stack (HTTP.sys). The flaw exists due to uncontrolled resource consumption in HTTP/2, allowing remote attackers to exhaust system resources and potentially render affected services unavailable.
Assigned a CVSS v3.1 score of 7.5 (High), the vulnerability requires no authentication, no user interaction, and can be exploited remotely over a network.
What is HTTP.sys?
HTTP.sys is a kernel-mode driver in Microsoft Windows responsible for processing HTTP and HTTPS traffic. It is widely used by:
- Microsoft IIS (Internet Information Services)
- Windows Remote Management (WinRM)
- Windows Activation Services
- Various Windows-based web applications and APIs
Because HTTP.sys operates at the kernel level, any vulnerability affecting it can have a significant impact on system availability and performance.
Technical Details
According to Microsoft's advisory, CVE-2026-49160 stems from uncontrolled resource consumption within HTTP/2 request processing. An attacker can send specially crafted HTTP/2 requests that consume excessive system resources, eventually leading to service disruption or system instability.
HTTP/2 Bomb Attack
Security researchers have linked this issue to a technique commonly referred to as an "HTTP/2 Bomb" attack.
By abusing HTTP/2 header processing, attackers can force a target server to allocate excessive memory and CPU resources. In testing scenarios, vulnerable IIS servers reportedly consumed tens of gigabytes of memory within minutes, causing severe service degradation.
While the vulnerability does not provide code execution capabilities, it can effectively take critical web services offline, making it a serious threat to organizations relying on Windows-based web infrastructure.
Affected Systems
Microsoft has confirmed that the vulnerability impacts multiple Windows versions, including:
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Several builds released before Microsoft's June 2026 security updates remain vulnerable.
Exploitation Requirements
To exploit CVE-2026-49160, an attacker needs:
- Network access to the target service
- No authentication
- No local access
- No user interaction
This makes internet-facing IIS servers and exposed HTTP.sys-enabled services particularly attractive targets.
Mitigation and Patching
Microsoft addressed the vulnerability as part of its June 2026 Patch Tuesday release. Organizations should immediately apply the latest cumulative updates for affected Windows systems.
Additional Mitigation
Microsoft has introduced a registry setting called:
MaxHeadersCount
This setting limits the number of HTTP/2 and HTTP/3 headers processed per request, helping reduce the impact of resource exhaustion attacks. Microsoft also provides PowerShell-based mitigation guidance for administrators unable to patch immediately.
Detection Recommendations
Security teams should monitor for:
- Sudden spikes in HTTP/2 traffic
- Excessive memory consumption by IIS services
- Abnormally high HTTP.sys resource utilization
- Unexpected web service crashes or restarts
- Large volumes of malformed or repetitive HTTP/2 requests
Implementing rate limiting, Web Application Firewalls (WAFs), and network monitoring can help detect exploitation attempts early.
Why This Matters
Denial-of-Service vulnerabilities often receive less attention than Remote Code Execution flaws, but CVE-2026-49160 demonstrates why availability attacks remain a major concern.
Because HTTP.sys sits at the core of Windows web infrastructure, successful exploitation can impact multiple services simultaneously. For organizations hosting critical applications on IIS or other HTTP.sys-dependent services, prompt patching should be considered a priority.
Final Thoughts
CVE-2026-49160 highlights the risks associated with modern protocol implementations such as HTTP/2. Although the vulnerability does not allow attackers to execute code or steal data, its ability to remotely exhaust server resources makes it a significant operational threat.
Organizations should prioritize Microsoft's June 2026 security updates, review HTTP/2 exposure, and implement monitoring controls to reduce the likelihood of successful denial-of-service attacks.
