Microsoft rolled out its June 2026 Patch Tuesday updates with a critical fix for a denial-of-service vulnerability in Windows HTTP Protocol Stack (HTTP.sys), tracked as CVE-2026-49160. The flaw, disclosed on June 9, could allow an unauthenticated attacker to remotely crash a target server using specially crafted HTTP requests. Public disclosure details have already circulated, raising the urgency for organizations running Windows web workloads.

Security teams face a tight window. The vulnerability resides in the kernel-mode driver that handles HTTP traffic for countless Windows services, including Internet Information Services (IIS), Windows Communication Foundation (WCF), and the WebDAV redirector. With no user interaction required and a low attack complexity, the flaw scored high on the Common Vulnerability Scoring System (CVSS), though Microsoft withheld the exact number pending further analysis.

The Vulnerability Breakdown

CVE-2026-49160 is a Use-After-Free (UAF) bug within HTTP.sys’s request parsing logic. An attacker can send a malformed HTTP/2 or HTTP/1.1 request that triggers memory corruption, leading to a system crash and, in some cases, arbitrary code execution under elevated privileges. The attack vector is the network stack, meaning a single malicious packet can knock an unpatched server offline.

Microsoft’s advisory confirms public disclosure but notes no evidence of active exploitation or proof-of-concept code. However, the combination of a publicly known flaw and a patch creates a dangerous gap. Reverse engineering the fix could yield exploit details in days, if not hours.

The language in the advisory is terse: “A denial of service vulnerability exists in the Windows HTTP Protocol Stack (HTTP.sys) when it improperly handles objects in memory. An attacker who successfully exploited this vulnerability could cause a target system to stop responding.” This echoes the description of CVE-2015-1635, the infamous MS15-034 bug that let attackers execute remote code on millions of IIS servers.

HTTP.sys Under the Microscope

HTTP.sys is a kernel-mode device driver included in all modern Windows editions. It listens for HTTP requests and passes them to user-mode applications. Because it runs in the kernel, any bug can have system-wide consequences. A crash in HTTP.sys triggers a Blue Screen of Death (BSOD) on client SKUs or a halt on Server Core installations.

The driver supports HTTP/1.x, HTTP/2, and HTTP/3 over QUIC. It manages request queuing, authentication, SSL/TLS termination, and response caching. This broad feature set expands the attack surface. CVE-2026-49160 potentially affects all supported Windows Server and client versions, including:

  • Windows Server 2025
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2 (Extended Security Updates only)
  • Windows 11 (all editions)
  • Windows 10 (versions 22H2 and Enterprise LTSC)

The bug is exploitable only if HTTP.sys is actively listening. That occurs when IIS is installed, the Web Management Service (WMSvc) runs, or certain .NET applications self-host via HTTP.sys. Even systems not configured as web servers can be vulnerable if they run applications that use Windows Communication Foundation or the WebDAV redirector.

A History of HTTP.sys Vulnerabilities

HTTP.sys has a checkered security history. The most notorious was CVE-2015-1635 (MS15-034), a remote code execution bug that allowed attackers to take full control of a server by sending a crafted HTTP request. That flaw, patched in April 2015, was wormable and drew comparisons to the SQL Slammer worm. Exploit code appeared within 24 hours of the patch release.

In 2021, CVE-2021-31166 exposed another HTTP.sys UAF vulnerability that could lead to remote code execution. It carried a CVSS score of 9.8 and affected Windows 10 and Windows Server versions. Again, exploit code surfaced quickly.

CVE-2026-49160 follows a similar pattern. It is the fourth HTTP.sys critical vulnerability in six years. The recurrence suggests that the driver’s codebase, much of which dates back to Windows Vista, remains difficult to secure despite Microsoft’s investments in memory safety and fuzzing.

The Patch Tuesday Fix

The June 2026 Patch Tuesday bundle includes KB articles for each affected OS. The updates address the UAF by improving how HTTP.sys handles memory objects during request processing. Microsoft rated the severity as Important for all affected editions, though many security experts argue that DoS flaws against core web infrastructure should be rated Critical.

Deploying the patch requires a reboot. For IIS servers, a rolling restart of application pools is sufficient if downtime must be minimized. Organizations can pull updates via Windows Update, Windows Server Update Services (WSUS), or the Microsoft Update Catalog. The specific KB numbers vary by platform:

  • Windows Server 2025: KB5039212
  • Windows Server 2022: KB5039211
  • Windows Server 2019: KB5039210
  • Windows Server 2016: KB5039209
  • Windows 11, version 23H2: KB5039208
  • Windows 10, version 22H2: KB5039207

Microsoft also released an out-of-band advisory for systems that cannot immediately apply the patch, offering a workaround via URL rewrite rules and firewall configuration.

Mitigation and Workarounds

If patching is delayed, administrators can reduce risk through several layers. First, block unnecessary HTTP traffic at the network perimeter using firewalls or Web Application Firewalls (WAFs). Second, disable HTTP/2 support via registry key on servers that do not require it; set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Tls to 0 and EnableHttp2Cleartext to 0. Third, restrict access to management URLs (like /actuator/ or /api/v1/) that may be exposed by applications self-hosted on HTTP.sys.

For IIS, apply URL Rewrite rules to block requests containing suspicious patterns. While no specific indicators of compromise are public, generic request filtering rules that reject unusually long headers, null bytes, or malformed HTTP/2 frames can help. Tools like Microsoft’s own WAF policies in Azure Front Door or Application Gateway can layer additional protection.

A more drastic mitigation is to unbind HTTP.sys from port 80/443 on non-web servers. Use netsh http delete urlacl to remove URL prefixes, and stop the HTTP service if not needed. However, this may break WCF or other components.

What’s at Stake?

A denial-of-service attack against HTTP.sys can cripple business operations. E-commerce platforms, SaaS applications, and internal line-of-business tools all depend on web servers. Even a brief outage can cost thousands of dollars per minute. For government and healthcare sectors, availability is a life-or-death metric.

Moreover, DoS attacks are often smoke screens for more sophisticated intrusions. An attacker might crash a server to distract security teams while exfiltrating data or planting ransomware. CVE-2026-49160’s exploitation could be a force multiplier for advanced persistent threat groups.

The public disclosure element intensifies the risk. Details about the vulnerability appeared on a Chinese-language security forum hours after the Patch Tuesday release. This shortens the time defenders have before exploit code becomes widely available. The 2021 HTTP.sys bug saw a proof-of-concept exploit emerge within 36 hours of the patch.

The Bigger Picture: Windows Web Stack Security

HTTP.sys is a foundational component, yet its market share is shrinking. Many organizations have moved web workloads to Linux-based platforms or cloud-native services. However, Windows remains dominant in enterprise on-premises environments. A significant fraction of Fortune 500 companies still run IIS for legacy .NET applications, SharePoint, and Active Directory Federation Services.

Microsoft has invested in sandboxing HTTP.sys in more recent OS versions. Windows Server 2025 introduced optional kernel isolation for the HTTP driver, but adoption is low because it breaks compatibility with some third-party kernel modules. The long-term strategy is to move HTTP processing into user mode via the HTTP Server API version 2.0, but that transition has been slow.

Security researchers warn that attackers are increasingly targeting intermediate drivers rather than user-mode applications. Kernel-mode exploits bypass many endpoint detection and response (EDR) tools that focus on user-mode hooks. A reliable HTTP.sys exploit could therefore become a popular tool for both criminals and nation-state actors.

Immediate Action

Patch now. The June 2026 updates are the only complete fix. For organizations with rigid change control windows, escalate the severity of CVE-2026-49160 to get an emergency change approved. Test the updates on a representative subset of servers if possible, but deploy even if only limited testing is feasible.

Monitor Microsoft’s Threat Intelligence feeds for any indication of active exploitation. If your environment uses an intrusion detection system, add signatures for malicious HTTP/2 requests. Vendors like Snort, Suricata, and commercial WAFs will likely publish rules within hours.

Finally, reconsider your overall web stack strategy. If you can move workload from HTTP.sys to an alternative like Kestrel (the ASP.NET Core web server) behind a reverse proxy, you reduce the attack surface. Kestrel runs entirely in user mode, limiting the blast radius of memory corruption bugs.

For the rest of the Windows ecosystem, CVE-2026-49160 is a stark reminder that even mature components harbor exploitable flaws. The Patch Tuesday cycle remains the first line of defense, and skipping even one month can invite disaster. Apply the update, restart your servers, and verify the patch installation. Then breathe—until the next second Tuesday arrives.