Microsoft disclosed CVE-2026-49160, an Important denial-of-service flaw in HTTP.sys that stems from uncontrolled resource consumption during HTTP/2 processing. The vulnerability can be triggered remotely by an unauthenticated attacker with no user interaction, allowing service disruption over the network, and Microsoft assigned it a CVSS 3.1 score of 7.5. The company said the issue had been publicly disclosed but had not been exploited at publication, while rating exploitation as more likely.
Microsoft said the fix is included in the June 2026 Windows security updates and introduced a new registry setting, MaxHeadersCount, to limit the number of headers accepted in HTTP/2 and HTTP/3 requests handled by the Windows HTTP server. According to Microsoft support guidance, administrators can configure the REG_DWORD value under HTTP service parameters after installing the update; the default is 200, with a minimum of 50 and a maximum of 65535, and a system restart is required for changes to take effect. Microsoft said the control is intended to reduce excessive memory use, high CPU consumption, and denial-of-service conditions, and noted that MaxRequestBytes may still impose a higher effective header limit in some cases.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
On 2026-06-09, Microsoft published KB5102602 documenting the new MaxHeadersCount registry setting for limiting HTTP/2 and HTTP/3 headers accepted by HTTP.sys. Microsoft said the setting is available after installing Windows updates released on or after that date and is intended to reduce denial-of-service risk from excessive header processing.
On 2026-06-09, Microsoft disclosed CVE-2026-49160, an Important HTTP.sys denial-of-service vulnerability caused by uncontrolled resource consumption in HTTP/2. Microsoft said the issue was publicly disclosed but not exploited at publication time and advised installing the June 2026 Windows security updates.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
msrc.microsoft.com
Open sourcesupport.microsoft.com
Open sourcetheregister.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.