CVE-2026-49160
HTTP.sys Denial of Service Vulnerability
Description
Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.
In plain language
AI Act nowThis Windows HTTP/2 flaw lets attackers cause a remote crash or slowdown (denial of service) without logins, so you should act quickly if your business systems use Windows’ web services or any exposed network services.
CVE-2026-49160 is a remote denial-of-service in HTTP.sys/HTTP/2 caused by uncontrolled resource consumption; it can be triggered without authentication over the network, and Microsoft reported real-world exploitation in its June 2026 Patch Tuesday notes.
What to do now
- Check which affected Windows versions and builds you run (including Windows 10/11 and Windows Server 2016/2019/2022/2025).
- Verify your current installed update build number for HTTP.sys fixes (or review your patch history for June 2026 Patch Tuesday / Microsoft’s update guidance).
- Upgrade/patch to the fixed versions: Windows 10: 10.0.14393.9234 or 10.0.17763.8880 or 10.0.19044.7417 or 10.0.19045.7417; Windows 11: 10.0.22631.7219 or 10.0.26100.8655 or 10.0.26200.8655 or 10.0.28000.2269; Windows Server 2016: 10.0.14393.9234; Windows Server 2019: 10.0.17763.8880; Windows Server 2022: 10.0.20348.5256; Windows Server 2025: 10.0.26100.32995.
- If you cannot patch immediately, reduce exposure by limiting which systems can receive external network traffic (especially any HTTP/2-enabled endpoints) until updates are applied.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:NConfidentialityI:NIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
- Microsoft исправила более 200 уязвимостей и шесть 0-day в своих продуктахru-ru·Хакер (xakep.ru)· Source-only·
- Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugsen·The Hacker News· Summary only·
- Microsoft Patch Tuesday Fixes Address Critical Zero-Day Flawsen-us·Daily CyberSecurity (securityonline.info)· Summary only·
- A Record-Breaking Patch Tuesday for June 2026en-us·Krebs on Security· Source-only·
- Blame AI: Patch Tuesday Hits Record 206 CVEsen·Dark Reading· Source-only·
- Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Rapid7en·Rapid7 Blog·
- Microsoft and Adobe Patch Tuesday, June 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patches 200 Vulnerabilitiesen-us·SecurityWeek· Summary only·
- Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flawsen-us·BleepingComputer· Summary only·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-49160 and every CVE in our database. Create a free account — no credit card required.
Create Free Account