CVE-2026-49160 – HTTP.sys Denial of Service Vulnerability

An uncontrolled resource consumption vulnerability in HTTP.sys could allow an unauthenticated attacker to cause a denial of service over the network. The issue affects HTTP/2 handling and can impact system availability without requiring privileges or user interaction. While the vulnerability does not expose data or allow code execution, it can disrupt services that depend on affected Windows systems.

CVSS Score: 7.5
SEVERITY: Important
THREAT:
This vulnerability threatens service availability. An attacker could send network-based traffic that causes excessive resource consumption in HTTP.sys, potentially making affected systems or hosted services unavailable.

EXPLOITS:
Microsoft reports the vulnerability as publicly disclosed: Yes and exploited: No. Exploit Code Maturity is listed as Unproven, meaning no confirmed working exploit code is identified in the provided data. Microsoft also rates exploitation as more likely.

TECHNICAL SUMMARY:
The vulnerability is categorized as CWE-400: Uncontrolled Resource Consumption. HTTP.sys, the Windows HTTP protocol stack, improperly handles certain HTTP/2 activity in a way that can consume excessive system resources. Because the attack vector is network-based, requires low complexity, and needs no authentication, exposed systems could be targeted remotely to interrupt availability.

EXPLOITABILITY:
Affected software includes Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025. Exploitation can occur over the network with no privileges and no user interaction.

BUSINESS IMPACT:
Successful exploitation could disrupt web services, internal applications, APIs, and business systems that rely on affected Windows HTTP services. Outages may lead to downtime, failed transactions, loss of productivity, customer impact, and increased operational response costs.

WORKAROUND:
Microsoft lists no mitigations and no workarounds. The official fix should be applied.

URGENCY:
This patch should be prioritized because exploitation is rated more likely, the vulnerability is network-accessible, and no authentication is required. Even without confirmed active exploitation, denial-of-service risk can quickly become a real business disruption for internet-facing or high-availability systems.