Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.
AnalysisAI
Remote denial-of-service in Microsoft's HTTP/2 implementation allows unauthenticated network attackers to exhaust server resources and disrupt service availability. The flaw (CWE-400, uncontrolled resource consumption) was reported by Microsoft's MSRC and carries a CVSS 7.5 score driven entirely by availability impact, with no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability resides in Microsoft's implementation of the HTTP/2 protocol, a binary, multiplexed transport layer used by IIS, HTTP.sys, and dependent Windows services. HTTP/2's stream multiplexing, header compression (HPACK), and flow-control windowing create multiple state-tracking surfaces where a server must allocate memory, CPU, or connection state per stream or frame. CWE-400 (Uncontrolled Resource Consumption) indicates the implementation lacks adequate ceilings or rate limits on one of these structures - historically similar to the HTTP/2 'Rapid Reset' (CVE-2023-44487) and stream-flood family of issues - letting an attacker drive resource use disproportionate to their effort. The provided CPE data does not enumerate specific Windows or IIS versions; vendor advisory must be consulted for the exact affected component.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49160 once the exact KB for your Windows/IIS build is identified; patch status is available per vendor advisory but a specific fix version is not included in the provided input. As compensating controls until patched, place affected endpoints behind an HTTP/2-aware reverse proxy or WAF (e.g., Azure Front Door, Cloudflare, or an updated nginx/Envoy) that enforces per-connection stream limits and frame-rate caps, or temporarily disable HTTP/2 on HTTP.sys via the registry 'EnableHttp2Tls' / 'EnableHttp2Cleartext' DWORDs set to 0 - note this forces clients back to HTTP/1.1 with measurable latency and throughput regressions for modern browsers and gRPC workloads. Additionally, apply network-layer rate limiting and connection caps at the load balancer to blunt floods, accepting that legitimate high-concurrency clients may be throttled.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35588
GHSA-g6wq-v77v-v58c