Microsoft released its July 2026 security updates on July 14, and among the dozens of fixes is a vulnerability that deserves immediate attention from anyone running a Windows web server. Tracked as CVE-2026-49787, the bug resides in HTTP.sys—the kernel driver that processes HTTP traffic for IIS and many other Windows services—and allows an unauthenticated remote attacker to bring down a server with little effort. No password, no user interaction, no complex exploit chain: just network access.

A Denial-of-Service Hole Deep Inside Windows

HTTP.sys is not just another component; it’s the first stop for virtually all HTTP and HTTPS traffic that hits a Windows machine. Before IIS worker processes, before application code, before authentication modules, requests land in this kernel-mode driver. That means a flaw in HTTP.sys isn’t limited to a specific website or app—it can affect any service that registers with the Windows HTTP stack, including web servers, APIs, management portals, and even some desktop applications that use HTTP for local communication.

CVE-2026-49787 stems from a classic resource exhaustion problem. Microsoft’s advisory describes it as “allocation of resources without limits or throttling” (CWE-770). An attacker can send specially crafted HTTP requests that cause HTTP.sys to consume an escalating amount of system resources—memory, CPU, or kernel objects—until the machine becomes unresponsive or crashes. The vulnerability carries a CVSS 3.1 score of 7.5 (High), with an attack vector of “network,” low complexity, no privileges required, and no user interaction. The only impact is on availability, with no confidentiality or integrity loss. So an attacker can’t steal data or run code, but they can knock your server offline repeatedly.

As of July 14, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had not seen any active exploitation, but it noted that the attack is fully automatable. That means it won’t stay theoretical for long. Proof-of-concept code often follows within days or weeks of a patch, and because the flaw doesn’t require any special conditions, it’s likely to be built into automated scanning tools quickly.

Every Supported Windows Version Needs a Patch

The list of affected products is extensive. Microsoft patched the flaw across all currently supported Windows client and server releases, stretching back to Windows 10 version 1607 (the original Long-Term Servicing Branch release) and Windows Server 2016. Even the latest Windows 11 26H1 is included. The table below maps out the key update packages and the build numbers you should see after installing them.

Windows Version Affected Below Build Fixed Build Required Update
Windows 10 1607 / Server 2016 14393.9339 14393.9339 July cumulative
Windows 10 1809 / Server 2019 17763.9020 17763.9020 KB5099538
Windows 10 21H2 19044.7548 19044.7548 July cumulative
Windows 10 22H2 19045.7548 19045.7548 July cumulative
Windows 11 24H2 26100.8875 26100.8875 KB5101650
Windows 11 25H2 26200.8875 26200.8875 KB5101650
Windows 11 26H1 28000.2269* 28000.2525** KB5101649
Windows Server 2022 20348.5386 20348.5386 KB5099540
Windows Server 2025 26100.33158 26100.33158 July cumulative
  • The June 9 update (KB5095051) originally fixed the issue in 26H1 at build 28000.2269, but the July update brings that to a higher build.
    ** The recommended build for 26H1 after July 14 is 28000.2525.

The fix is delivered via the usual cumulative update mechanism. Microsoft is not offering a standalone patch, so you must install the full monthly rollup. For servers, that includes both the Full and Server Core installations—Server Core is not immune just because it lacks a GUI. If a service on Server Core uses HTTP.sys, it’s vulnerable.

Who Needs to Worry?

IT administrators running IIS or any HTTP-server application on Windows should treat this as a high-priority patch. That includes public websites, internal intranets, API gateways, Exchange servers (which use HTTP for client connectivity), and even Windows Admin Center. If a system accepts HTTP connections from a network, an attacker might be able to trigger the resource exhaustion.

Developers who self-host web services on Windows using frameworks like ASP.NET Core should pay special attention. Many developers use the UseHttpSys() extension method to run directly on top of HTTP.sys for performance or for features like Windows Authentication and port sharing. Those services are directly exploitable until the host is patched. If you build Windows containers, the base images must be updated too—pull the latest Windows Server Core or Nano Server images from Microsoft’s container registry and rebuild your applications.

Home users are less exposed because few consumer PCs run Internet-facing web servers. However, Windows 11 still contains HTTP.sys (it’s part of the OS), and a malicious script or a compromised IoT device on your home network could theoretically exploit the flaw. More importantly, cumulative updates include other security fixes, so you should install them anyway. The KB5101650 update for Windows 11 24H2 and 25H2 includes the HTTP.sys fix plus other improvements and fixes.

How We Got Here: HTTP.sys Has a History

HTTP.sys was introduced with Windows Server 2003 and IIS 6.0 as a kernel-mode driver to improve performance over the user-mode solutions of the past. Over the years, it has been the source of some significant vulnerabilities. Most famously, in April 2015, Microsoft patched CVE-2015-1635 (MS15-034), a remote code execution bug in HTTP.sys that could be triggered by sending a malformed Range header. That flaw was exploited in the wild and forced many organizations to scramble.

This latest vulnerability, CVE-2026-49787, is less severe—no code execution—but it shares the same attack surface. The fact that it’s a DoS rather than an RCE may lead some to de-prioritize it. That would be a mistake. Denial-of-service attacks can be just as disruptive, and when they affect critical infrastructure like authentication servers or management consoles, they can cascade into larger incidents. Moreover, because the attack can be repeated, a persistent attacker could keep a service offline almost indefinitely. The HTTP.sys driver is also used by Windows Remote Management (WinRM), so an exposed management interface could become a target.

What to Do Now: Patching and Verification

1. Identify Exposed Systems

Start by listing all Windows machines that accept HTTP or HTTPS connections from the network. That’s not limited to IIS web servers; use netsh http show servicestate from an elevated command prompt to see all registered URL prefixes and listeners. Also check for custom applications that might call the HTTP Server API. Remember, load balancers and reverse proxies may hide direct exposure, but they don’t eliminate the vulnerability unless they can block the specific exploit—and since the details aren’t public yet, you can’t assume they will.

2. Deploy the July 14 Cumulative Updates

The updates were released automatically through Windows Update and WSUS. Check your management console to ensure they are approved. For manual downloads, visit the Microsoft Update Catalog and search for the KB numbers above. The updates are cumulative, so installing them also fixes other non-security issues.

3. Verify the Build Number

After installation and reboot, confirm the build number matches the fixed build in the table. Don’t rely on the “update installed” status in Windows Update; use winver or Get-ComputerInfo | Select WindowsVersion, OsBuildNumber in PowerShell. The IIS version number will not change and is irrelevant for this vulnerability.

4. Stage Your Rollout Carefully

A few known issues accompany these updates. On Windows Server 2022, a small number of machines configured with a non-recommended BitLocker PCR7 policy (usually via Group Policy) may prompt for the recovery key after the update restarts. Microsoft advises not to touch that setting unless you’re sure, but if you have it, be prepared with your BitLocker recovery keys.

Additionally, the update introduces hardening for the Transport Driver Interface (TDI). If you use third-party transport drivers that have not been updated to the latest standards, some socket operations may fail. This mainly affects very old software that relies on legacy TDI filters (like ancient firewall or VPN clients). Test these on a representative set of machines before deploying broadly.

5. Monitor for Unusual Activity

Once patched, watch for any spikes in CPU or memory usage that might indicate an attempted exploit before you patched, or a new variant that bypasses the fix. Windows event logs may show clues; look for frequent service restarts or HTTP.sys-related errors.

Outlook: The Clock Is Ticking

As of July 14, CISA’s exploitation assessment was “none,” but that’s a snapshot, not a guarantee. The vulnerability is automatable, meaning that within weeks—perhaps days—we’ll likely see proof-of-concept code circulating. That will quickly be integrated into exploit frameworks and scanning tools. Organizations that delay patching risk falling victim to a simple, weaponized DoS attack that requires no authentication.

Microsoft has not indicated whether HTTP.sys will receive a more thorough architectural overhaul to reduce its attack surface. For now, the cycle continues: a new vulnerability appears, patches are released, and administrators race to deploy them. The July 2026 updates are that race. The finish line is a build number; get your systems past it.