HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-49160Published Modified CNA microsoft

CVE-2026-49160: HTTP.sys Denial of Service Vulnerability

Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
10.0.14393.9234
Affected Products
16

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Uncontrolled resource consumption in HTTP.sys, the Windows kernel-mode HTTP request handler, allows a remote unauthenticated attacker to exhaust server resources by sending crafted HTTP/2 traffic over a network connection. No authentication or user interaction is required; the attacker only needs to reach the exposed HTTP/2 service. Successful exploitation crashes or freezes the HTTP.sys request pipeline, denying service to all applications hosted on the affected Windows system. Patched-image rebuilds at the applicable fix versions are available on HarborGuard for environments running an affected Windows version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Windows-based container images that bundle affected HTTP.sys versions.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting the result against each environment's compliance policy to determine urgency and routing, surfacing findings to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at the applicable fix versions (10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, 10.0.19045.7417, 10.0.20348.5256, and the corresponding Windows 11 builds) is available on HarborGuard for images running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target's HTTP/2 service over a network connection; no local access is needed, but the service must be reachable.

  • AuthenticationNot required

    No credentials or account of any privilege level are required; the attack works anonymously.

  • Victim interactionNot required

    No action by a logged-in user or administrator is needed to trigger the vulnerability.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions or special environmental factors are required, making repeated attempts straightforward.

Blast Radius

  • Crashes or stalls the HTTP.sys request pipeline, taking down all HTTP/HTTPS applications hosted on the affected Windows system.
  • Disrupts any service that relies on HTTP.sys for request handling, including IIS-hosted APIs and Windows container workloads exposing HTTP/2 endpoints.
  • No confidentiality or data-integrity impact: the attacker cannot read or modify stored data, only force a service outage.

How HarborGuard Handles This

Available on HarborGuard: detection matches this CVE against Windows-based container images in customer registries and pipelines within minutes of ingestion, covering both images pulled from public sources and internally built images. For environments with affected HTTP.sys versions, patched rebuilds at the fix versions listed by Microsoft are available. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes the configured regression tests, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard routes the finding to the designated team inbox with the CVSS 7.5 score, affected version ranges, and fix version targets attached for manual action.

See how HarborGuard automates this

Fix available

10.0.14393.923410.0.17763.888010.0.19044.741710.0.19045.741710.0.20348.525610.0.22631.721910.0.26100.865510.0.26100.3299510.0.26200.865510.0.28000.2269
Patch commits
Affected packages
  • Microsoft / Windows 10 Version 1607
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows 10 Version 1809
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows 10 Version 21H2
    < 10.0.19044.7417 (from 10.0.19044.0)
  • Microsoft / Windows 10 Version 22H2
    < 10.0.19045.7417 (from 10.0.19045.0)
  • Microsoft / Windows 11 version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 23H2
    < 10.0.22631.7219 (from 10.0.22631.0)
  • Microsoft / Windows 11 Version 24H2
    < 10.0.26100.8655 (from 10.0.26100.0)
  • Microsoft / Windows 11 Version 25H2
    < 10.0.26200.8655 (from 10.0.26200.0)
  • Microsoft / Windows 11 version 26H1
    < 10.0.28000.2269 (from 10.0.28000.0)
  • Microsoft / Windows Server 2016
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2016 (Server Core installation)
    < 10.0.14393.9234 (from 10.0.14393.0)
  • Microsoft / Windows Server 2019
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2019 (Server Core installation)
    < 10.0.17763.8880 (from 10.0.17763.0)
  • Microsoft / Windows Server 2022
    < 10.0.20348.5256 (from 10.0.20348.0)
  • Microsoft / Windows Server 2025
    < 10.0.26100.32995 (from 10.0.26100.0)
  • Microsoft / Windows Server 2025 (Server Core installation)
    < 10.0.26100.32995 (from 10.0.26100.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
References