Microsoft’s June 2026 Patch Tuesday fixed a publicly disclosed zero-day nicknamed “HTTP/2 Bomb”. Tracked as CVE-2026-49160, the flaw sits in the HTTP/2 implementation inside HTTP.sys, the kernel-mode driver that handles HTTP requests on Windows. It carries a CVSS 7.5 score and is rated high severity.
What it is and how it works
This is an uncontrolled resource consumption issue (CWE-400). A remote attacker, with no authentication and no user interaction, can send very small amounts of data over the network and force the server to allocate disproportionately large amounts of memory. The asymmetry is the danger: cheap for the attacker, expensive for the server. Once that memory is exhausted or the service stops responding, you have denial of service.
The CVSS 3.1 vector says it plainly: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Network attack, low complexity, no privileges, no user click, and the only impact is on availability. Nothing is stolen or modified, but the service goes down.
HTTP.sys sits at the core of many Windows services. This isn’t only about IIS: any component that relies on the system HTTP stack is exposed. A flaw here has a wide blast radius, especially on internet-facing servers.
Who is affected
Per Microsoft’s advisory and the NVD entry, the issue reaches a broad set of versions: Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 26H1) on x86, x64 and ARM64, and Windows Server 2016 and later. Web and application servers that expose HTTP/2 to the network are the realistic target, since the attack can be launched remotely and repeated at will.
Don’t confuse this CVE with CVE-2026-49975, another “HTTP/2 Bomb” from the same month that affects several servers (Apache httpd, nginx, IIS, Envoy, Pingora) by combining HPACK compression with HTTP/2 flow control. Same idea and nickname, separate entries with separate patches.
Severity and mitigation
Being a publicly disclosed zero-day raises the urgency: details circulated before every system was patched, narrowing the window against anyone trying to reproduce it. Impact is limited to availability, so the worst case is a downed service rather than a breach. For a production server, that’s still reason to move fast.
The fix is straightforward: apply the June 2026 updates through Windows Update or WSUS, and bring each machine to the minimum patched build that Microsoft’s advisory lists for its version. If you run servers with HTTP/2 exposed and can’t patch right away, consider limiting exposure of those endpoints while you roll out the update.
This zero-day was part of the record-breaking June 2026 Patch Tuesday, which fixed close to 200 CVEs.
Source
- NVD: CVE-2026-49160