CVE-2026-49787 in Windowsinfo

Summary

by MITRE • 07/14/2026

Allocation of resources without limits or throttling in Windows HTTP.sys allows an unauthorized attacker to deny service over a network.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability represents a critical resource allocation flaw in the Windows HTTP.sys kernel driver that enables unauthorized denial of service attacks through unbounded memory consumption. The issue stems from insufficient input validation and resource management within the HTTP protocol stack, where the system fails to implement proper limits or throttling mechanisms when processing incoming network requests. This allows attackers to craft malicious HTTP requests that trigger excessive memory allocation without proper bounds checking, leading to system resource exhaustion and subsequent service unavailability.

The technical implementation involves the HTTP.sys driver's handling of specific HTTP request parameters that control buffer allocation and memory management during protocol processing. When the driver receives crafted requests containing oversized or malformed headers, it allocates memory resources without adequate validation of request sizes or processing limits. This behavior creates a condition where an attacker can repeatedly submit requests that consume increasing amounts of system memory, eventually exhausting available resources and causing the affected Windows system to become unresponsive or crash entirely.

From an operational perspective, this vulnerability presents significant risk to enterprise environments as it requires no authentication credentials to exploit, making it particularly dangerous in networked environments. The attack vector operates at the kernel level through the HTTP.sys driver, meaning that successful exploitation can compromise entire systems regardless of user privileges. Network-based attacks leveraging this vulnerability can be executed from remote locations, potentially affecting web servers, application servers, and any Windows system running HTTP services. The impact extends beyond simple service disruption to include potential system instability, data loss, and extended downtime that can severely impact business operations.

The vulnerability aligns with CWE-770, which addresses the allocation of resources without limits or throttling, and demonstrates characteristics consistent with ATT&CK technique T1499.004 for network denial of service attacks. Organizations implementing this vulnerable component face potential exposure through various attack surfaces including web applications, HTTP-based services, and any system running Windows HTTP services that has not been properly patched. The lack of authentication requirements means that adversaries can exploit this vulnerability at scale without requiring privileged access or specialized knowledge beyond basic network reconnaissance.

Mitigation strategies should focus on immediate patch deployment from Microsoft to address the underlying resource management flaws in HTTP.sys. Network segmentation and firewall rules can help limit exposure by restricting access to HTTP services, while implementing rate limiting and request size restrictions at network boundaries provides additional defense layers. System monitoring should be enhanced to detect unusual memory consumption patterns and potential exploitation attempts, with intrusion detection systems configured to identify malformed HTTP requests that could indicate attack activity. Regular security assessments and vulnerability scanning should include verification of HTTP.sys components and proper implementation of resource limits to prevent recurrence of similar issues.

Responsible

Microsoft

Reservation

06/01/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!