Skip to main content

Microsoft HTTP/2 CVE-2026-49160

| EUVDEUVD-2026-35588 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 secure@microsoft.com GHSA-g6wq-v77v-v58c
7.5
CVSS 3.1 · NVD
Temporal: 6.5
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CIRCL (temporal)
6.5 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 17:44 vuln.today

DescriptionCVE.org

Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.

AnalysisAI

Remote denial-of-service in Microsoft's HTTP/2 implementation allows unauthenticated network attackers to exhaust server resources and disrupt service availability. The flaw (CWE-400, uncontrolled resource consumption) was reported by Microsoft's MSRC and carries a CVSS 7.5 score driven entirely by availability impact, with no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability resides in Microsoft's implementation of the HTTP/2 protocol, a binary, multiplexed transport layer used by IIS, HTTP.sys, and dependent Windows services. HTTP/2's stream multiplexing, header compression (HPACK), and flow-control windowing create multiple state-tracking surfaces where a server must allocate memory, CPU, or connection state per stream or frame. CWE-400 (Uncontrolled Resource Consumption) indicates the implementation lacks adequate ceilings or rate limits on one of these structures - historically similar to the HTTP/2 'Rapid Reset' (CVE-2023-44487) and stream-flood family of issues - letting an attacker drive resource use disproportionate to their effort. The provided CPE data does not enumerate specific Windows or IIS versions; vendor advisory must be consulted for the exact affected component.

RemediationAI

Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49160 once the exact KB for your Windows/IIS build is identified; patch status is available per vendor advisory but a specific fix version is not included in the provided input. As compensating controls until patched, place affected endpoints behind an HTTP/2-aware reverse proxy or WAF (e.g., Azure Front Door, Cloudflare, or an updated nginx/Envoy) that enforces per-connection stream limits and frame-rate caps, or temporarily disable HTTP/2 on HTTP.sys via the registry 'EnableHttp2Tls' / 'EnableHttp2Cleartext' DWORDs set to 0 - note this forces clients back to HTTP/1.1 with measurable latency and throughput regressions for modern browsers and gRPC workloads. Additionally, apply network-layer rate limiting and connection caps at the load balancer to blunt floods, accepting that legitimate high-concurrency clients may be throttled.

Share

CVE-2026-49160 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy