Skip to main content
Mallory
Back to vulnerabilities
High

HTTP.sys HTTP/2 Bomb Denial of Service

IdentifiersCVE-2026-49160CWE-400· Uncontrolled Resource Consumption

CVE-2026-49160 is a denial-of-service vulnerability in the Windows HTTP Protocol Stack (HTTP.sys) caused by uncontrolled resource consumption in HTTP/2. Public reporting describes the issue as tied to the "HTTP/2 Bomb" technique, which abuses HTTP/2 header compression and large numbers of tiny messages/headers to force rapid memory allocation by the server until the service becomes unstable or crashes. Microsoft characterizes the flaw as an unauthorized network-reachable DoS in HTTP.sys with no required privileges or user interaction.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to exhaust resources in HTTP.sys and deny service to affected systems. The documented security impact is high availability loss only; there is no stated confidentiality or integrity impact. In practice, affected HTTP.sys-backed services may become unresponsive or crash, interrupting web-facing or dependent Windows services reachable over the network.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting or filtering untrusted access to HTTP.sys-exposed services and, where supported by the June 2026 update, configure the MaxHeadersCount registry setting to constrain the number of headers accepted in HTTP/2 and HTTP/3 requests. Prioritize internet-exposed systems using HTTP.sys and monitor for abnormal spikes in HTTP/2 request/header activity consistent with resource-exhaustion attempts.

Remediation

Patch, then assume compromise.

Apply the June 2026 Windows security updates from Microsoft for affected Windows systems. Microsoft states these updates enable protections for CVE-2026-49160 and introduce a new MaxHeadersCount registry setting to limit the number of headers accepted in HTTP/2 and HTTP/3 requests by the HTTP server. Microsoft references KB5102602 for implementation details.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app
security online infoNews
Jun 10, 2026
Microsoft Patch Tuesday Fixes for Zero Day Vulnerabilities

An uncontrolled resource consumption vulnerability in HTTP.sys that allows unauthenticated remote denial of service over public networks.

Read more
security affairsNews
Jun 9, 2026
Microsoft Releases Record-Breaking Patch Tuesday With 208 CVEs

A denial-of-service vulnerability in HTTP.sys associated with the HTTP/2 Bomb technique.

Read more
malware newsNews
Jun 9, 2026
Microsoft Patch Tuesday for June 2026 - Snort rules and prominent vulnerabilities - Malware News - Malware Analysis, News and Indicators

A denial of service vulnerability in Windows HTTP Protocol Stack (http.sys).

Read more
cyberscoopNews
Jun 9, 2026
Microsoft breaks Patch Tuesday record with 206 vulnerabilities | CyberScoop

A publicly known Microsoft vulnerability disclosed in this Patch Tuesday release; Microsoft said it was not yet exploited in the wild at time of release.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-49160
NVD
nvd.nist.gov/vuln/detail/CVE-2026-49160
MITRE CWE · CWE-400
Uncontrolled Resource Consumption
msrc.microsoft.com
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49160