CVE-2026-49160

HIGH

Microsoft Windows HTTP.sys HTTP/2 - Denial of Service

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-49160. PoCs published by dhmosfunk.

AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2026-49160, a denial-of-service vulnerability in HTTP.sys. The exploit sends a crafted HTTP/2 request with an excessive number of headers to trigger the vulnerability.

Description

Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.

Exploits (1)

nomisec WORKING POC

by dhmosfunk · poc

https://github.com/dhmosfunk/CVE-2026-49160-HTTP.sys

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2026-49160, a denial-of-service vulnerability in HTTP.sys. The exploit sends a crafted HTTP/2 request with an excessive number of headers to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Microsoft HTTP.sys

No auth needed

Prerequisites: HTTP/2 support on the target server · Network connectivity to the target

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Jun 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

HTTP.sys Denial of Service Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49160

Scores

CVSS v3 7.5

EPSS 0.0097

EPSS Percentile 57.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (27)

Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.9234

Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.8880

Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.7417

Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.7417

Microsoft/Windows 11 version 23H2 10.0.22631.0 - 10.0.22631.7219

Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8655

Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8655

Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.2269

Microsoft/Windows Server 2016 10.0.14393.0 - 10.0.14393.9234

Microsoft/Windows Server 2016 (Server Core installation) 10.0.14393.0 - 10.0.14393.9234

... and 17 more

Published Jun 09, 2026

Tracked Since Jun 09, 2026