HIGH 7.5

CVE-2026-49160: HTTP/2 Resource Exhaustion DoS in Windows 10 & 11

A flaw in how Windows handles HTTP/2 network traffic allows an attacker to overwhelm and crash services by sending specially crafted requests that consume excessive system resources. The attacker does not need credentials or user interaction; they can trigger the problem remotely across a network. This is a denial-of-service vulnerability affecting multiple versions of Windows 10, Windows 11, and Windows Server products.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
22 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49160 is an uncontrolled resource consumption vulnerability (CWE-400) in Windows HTTP/2 implementation. The flaw allows an unauthenticated remote attacker to exhaust memory, CPU, or connection resources by sending malformed or high-volume HTTP/2 frames, causing targeted services to become unavailable. The vulnerability requires no user interaction and is exploitable over the network by any actor with network access to an affected system running HTTP/2-enabled services. The CVSS 3.1 score of 7.5 (HIGH severity) reflects high availability impact with low attack complexity.

Business impact

Affected organizations face potential service disruptions when HTTP/2-enabled applications or services on Windows infrastructure are targeted. This includes web servers, reverse proxies, API gateways, and other networked services leveraging HTTP/2. Organizations operating customer-facing or mission-critical systems on affected Windows versions risk extended downtime, degraded user experience, and operational disruption until mitigation is applied. The broad product footprint (Windows 10, 11, Server 2016–2025) suggests wide exposure across diverse enterprise environments.

Affected systems

The vulnerability affects Windows 10 (builds 1607, 1809, 21H2, 22H2), Windows 11 (builds 23H2, 24H2, 25H2, 26H1), Windows Server 2016, 2019, 2022, and 2025. Any system running one of these versions and hosting or proxying HTTP/2 traffic is potentially vulnerable. Systems limited to HTTP/1.1 or with HTTP/2 explicitly disabled are not affected. Organizations should audit their infrastructure to identify which systems handle HTTP/2 and prioritize patching accordingly.

Exploitability

Exploitation requires only network access and no authentication or special privileges. An attacker can craft HTTP/2 requests from outside the network perimeter to trigger resource exhaustion. The attack is straightforward to execute and does not depend on user interaction or timing-sensitive conditions, making it a practical threat. However, exploitation is visible in network traffic and resource logs, potentially enabling detection if monitoring is in place. No evidence of active exploitation in the wild has been reported as of the vulnerability's publication date (KEV status: not listed).

Remediation

Organizations must apply security updates from Microsoft addressing this vulnerability across affected platforms. Patching should prioritize systems that expose HTTP/2 services to untrusted networks or handle critical workloads. Where immediate patching is not feasible, temporary mitigations include disabling HTTP/2 support (reverting to HTTP/1.1), rate-limiting HTTP/2 connections at perimeter firewalls, and restricting network access to HTTP/2 services. Verify patch applicability against the vendor advisory before deployment.

Patch guidance

Microsoft has released security updates for the affected Windows versions. Organizations should obtain patches through Windows Update, Microsoft Update, or the Microsoft Security Update Guide. Prioritize patching Windows Server systems handling production HTTP/2 workloads, followed by Windows 11 and Windows 10 systems in similar roles. Test patches in a controlled environment before broad deployment to ensure compatibility with critical applications. Verify patch completion by confirming updated KB article numbers and re-scanning systems with vulnerability assessment tools.

Detection guidance

Monitor for indicators of HTTP/2 resource exhaustion attacks through network traffic analysis and endpoint logging. Indicators include: sudden spikes in HTTP/2 connection counts, excessive memory or CPU usage by HTTP/2 services, a high volume of HTTP/2 frames from single sources, and service restart logs corresponding to resource saturation. Deploy network intrusion detection rules that flag malformed HTTP/2 frames or unusual connection patterns. Endpoint Detection and Response (EDR) tools should alert on abnormal resource consumption by network services. Log aggregation from affected services can surface suspicious patterns before impact occurs.

Why prioritize this

Although not yet exploited in the wild (not on KEV), this vulnerability warrants near-term priority due to its HIGH severity, low attack complexity, and broad product footprint. The ease of exploitation, combined with potential service disruption to production environments, justifies rapid patching cycles. Organizations hosting public-facing HTTP/2 services should treat this as more urgent than less exposed systems. The prevalence of Windows in enterprise infrastructure means the aggregate risk is substantial.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects a high-impact denial-of-service vulnerability with minimal attack barriers. Network accessibility (AV:N), low attack complexity (AC:L), and absence of privilege or user interaction requirements (PR:N, UI:N) result in high exploitability. The impact is limited to availability (A:H) with no confidentiality or integrity compromise, which prevents a critical rating. The broad affected product range and prevalence of HTTP/2 in modern infrastructure elevate operational risk beyond the base score.

Frequently asked questions

Does this vulnerability require the attacker to be authenticated or on the local network?

No. The vulnerability is remotely exploitable by any unauthenticated attacker with network access to an HTTP/2-enabled service. No credentials, special privileges, or local access are required.

What if my organization does not use HTTP/2?

If your Windows systems are configured to use only HTTP/1.1 or have HTTP/2 explicitly disabled, they are not vulnerable to this particular flaw. Verify your HTTP/2 configuration in web server and application settings. However, some services enable HTTP/2 by default, so explicit audit is recommended.

Is there active exploit code or in-the-wild attacks for this vulnerability?

As of the published date, the vulnerability has not been added to the Known Exploited Vulnerabilities (KEV) catalog and no public evidence of active exploitation exists. However, the low barrier to exploitation means threat actors will likely develop and test attacks once patches are available, making early patching important.

What is the practical impact of this vulnerability on end-users?

End-users may experience service outages, slow response times, or unavailability of web applications, APIs, and cloud services hosted on affected Windows infrastructure. Organizations relying on such services will see degraded or blocked access during an attack. The impact is not to individual data security but to service continuity.

This analysis is provided for informational purposes and is current as of the vulnerability's publication date (June 2026). Security advisories and patches may be updated by vendors; organizations should verify patch versions and applicability against official Microsoft advisories before deployment. SEC.co makes no warranties regarding the completeness or accuracy of third-party patch information. Organizations must conduct their own risk assessments and testing in controlled environments. No exploit code or weaponized proof-of-concept is provided herein. This vulnerability analysis does not constitute security audit or compliance advice specific to any individual organization. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).