A remotely exploitable denial-of-service vulnerability in the Windows HTTP/2 protocol stack received an emergency fix on July 14, 2026, as part of Microsoft’s monthly security update. The flaw, tracked as CVE-2026-49788, allows an unauthenticated attacker to crash a Windows server by sending specially crafted network traffic, with no user interaction required. With a CVSS score of 7.5 and an attack complexity rated as low, any internet-facing Windows machine running an HTTP/2 service is at immediate risk.

The Vulnerability at a Glance

CVE-2026-49788 is an uncontrolled resource-allocation bug—classified under CWE-770—in the way Windows handles HTTP/2 connections. According to Microsoft’s advisory, an attacker can flood the system with traffic that causes the HTTP/2 implementation to consume resources without limits or throttling, eventually rendering the service unresponsive. The vulnerability resides in the core networking libraries, meaning it affects both client and server editions, including Server Core installations.

The CVSS 3.1 vector string—AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H—paints a grim picture. A remote attacker can navigate low-complexity attack conditions without needing any credentials or tricking a user. The impact is confined entirely to availability, but Microsoft rates that impact as high. This means the targeted service can lose its ability to respond normally as resources are exhausted. No data is stolen, no code is executed; the goal is pure disruption.

Who Is at Risk?

Every supported release of Windows receives the fix, from Windows 10 to the latest Windows 11 and across all current Windows Server generations. The following table outlines the minimum OS builds that contain the patch:

Windows Version KB Article Fixed Build
Windows 11 24H2 KB5101650 26100.8875
Windows 11 25H2 KB5101650 26200.8875
Windows 11 26H1 applicable serviced build
Windows 10 21H2/22H2 (LTSC/ESU) KB5099539 19044.7548 / 19045.7548
Windows Server 2016 KB5099535 14393.9339
Windows Server 2019 KB5099538 17763.9020
Windows Server 2022 KB5099540 20348.5386
Windows Server 2025 KB5099536 26100.33158

The patches are cumulative, so installing the latest monthly rollup is sufficient. Microsoft confirmed that no exploit code was publicly available when the updates shipped, and there is no evidence of active exploitation—yet.

For Windows 10 users, the fix applies only to systems enrolled in Extended Security Updates (ESU) or running specific LTSC/IoT editions. Regular Windows 10 Home or Pro devices that reached end of servicing will not receive this patch, leaving them perpetually exposed. If you still rely on such a machine to host any HTTP/2 web services, the time to migrate or upgrade is now.

What This Means for You

The practical impact depends on your role and how Windows systems are deployed.

For Home Users: Most home PCs don’t run HTTP/2 web servers exposed to the internet, so the risk of direct attack is low. However, if you use remote desktop, host game servers, or run any software that accepts incoming HTTP/2 connections, you should apply the patch. Even if not directly exploitable, the update contains other security fixes and should be installed as a routine measure.

For IT Administrators: This is a high-priority patch for any Windows Server that handles HTTP/2 traffic from untrusted networks. The attack surface includes web servers (IIS, ASP.NET), reverse proxies, API gateways, load balancers, and any service that terminates TLS and speaks HTTP/2. Because the flaw requires no authentication or user interaction, an attacker can repeatedly crash a service with minimal effort. While the attack doesn’t grant code execution or data theft, repeated outages can disrupt business-critical applications, block authentication flows, and cause cascading failures.

Administrators should prioritize internet-facing servers, but also examine internal systems where an attacker might pivot from a compromised endpoint. In Azure, VMs running Windows Server with HTTP/2 endpoints, App Service environments, and even Windows Admin Center gateway servers could be targets. Windows 10 systems in enterprise environments may also be vulnerable if they run HTTP/2-based services; verify whether your fleet includes machines that listen on network ports.

For Developers: If you build or maintain Windows-based web applications, test your services after applying the July update. The same KB packages include a change that enforces Transport Driver Interface (TDI) transport registration, which may break older apps that use unregistered TDI drivers. Microsoft’s release notes warn that applications using sockets over third-party TDI transports might stop working. Review any legacy networking software—especially security, VPN, or communication tools—before rolling out the update broadly. In most cases, the HTTP/2 fix alone will not cause compatibility issues, but the combined update warrants a validation round.

A History of HTTP/2 DoS Flaws

HTTP/2, standardized in 2015, improved web performance but also introduced new attack vectors. The protocol’s multiplexing and header compression features have been exploited in the past for denial-of-service attacks. Most notably, the “Rapid Reset” attack campaign in 2023 targeted HTTP/2 servers by abusing the stream cancellation mechanism, leading to widespread outages. Microsoft itself had to release multiple patches for similar flaws (like CVE-2023-44487).

CVE-2026-49788 differs because it targets Windows’ implementation specifically, using resource exhaustion rather than protocol logic errors. The fact that it’s trivially exploitable over the network—as reflected in the CVSS vector—makes it particularly dangerous for any organization still relying on Windows Server for internet-facing web services. Microsoft’s advisory categorizes the vulnerability as “confirmed but not publicly disclosed or exploited,” which indicates the company likely found the issue internally or via a researcher under responsible disclosure.

This pattern underscores a persistent challenge: network-facing infrastructure components, even those decades old like the HTTP stack in Windows, remain a prime target. The absence of a public proof-of-concept on July 14 doesn’t guarantee safety; reverse-engineering the patch can often reveal enough detail for attackers to craft an exploit within days.

How to Protect Your Systems Right Now

1. Patch Immediately on Exposed Systems
Identify all Windows machines that accept HTTP/2 connections, especially those reachable from the internet. Deploy the appropriate cumulative update via Windows Update, WSUS, or your patch management tool. The table above shows the minimum build numbers; verify after rebooting that the build matches or exceeds the fixed version. For Windows Server, you can use PowerShell: (Get-ComputerInfo).WindowsVersion or check winver.

2. Verify Patch Status by Build, Not Just Update Banner
A machine may report that updates were installed but still be running an unpatched binary if a reboot is pending or the update failed. Use Powershell to query the specific KB: get-hotfix -id KB5101650 (for example). The definitive check is the OS build number. For internet-facing servers, implement a configuration management tool that enforces baseline builds.

3. Monitor for Signs of Exploitation
While no attacks have been reported, keep an eye out for unusual HTTP/2 connection spikes, service hangs, or unexpected restarts of web processes. These could indicate a resource-exhaustion attempt. Application performance monitoring and web server logs can help detect anomalies. Tools like Windows Event Log, Performance Monitor, or ETW traces for HTTP.sys can show abnormal connection patterns.

4. Consider Network Mitigations as a Stopgap
If you can’t patch immediately, reduce risk by limiting HTTP/2 exposure. Use a reverse proxy or load balancer that terminates HTTP/2 upstream before passing traffic to Windows servers over HTTP/1.1. Apply rate limiting and connection limits at the network edge. However, these measures are not a substitute for patching; the bug is in the Windows HTTP/2 stack, and any direct HTTP/2 connection to the server is vulnerable.

5. Test the TDI Compatibility Change
Before rolling out the update enterprise-wide, check whether your environment uses any software that relies on unregistered TDI transports. Microsoft provides a list of affected scenarios in the July release notes. If you encounter issues, you may need to contact the software vendor for an update or deploy a workaround—but don’t let that delay patching on exposed systems; you can always roll back on a problematic machine while securing the rest.

6. Plan for Regular Cadence
Treat this as a reminder to have a patch management strategy that prioritizes network-facing vulnerabilities. CVE-2026-49788 is not a wormable RCE, but its simplicity and reliability make it attractive for disruption. The next monthly patch Tuesday should be on your calendar; delay can turn a known fix into an organizational liability.

The Outlook

Microsoft’s quick inclusion of the fix in a routine update cycle suggests the company didn’t view the vulnerability as an imminent global catastrophe—but that doesn’t reduce the risk for individual organizations. As reverse-engineering of the patch advances, exploit code could appear on public repositories within weeks. The July 14 updates also close other security holes, and the TDI enforcement change signals that Microsoft is tightening network stack security, which may reveal latent issues in third-party tools.

Administrators should not treat this as a “patch-and-forget” event. The HTTP/2 ecosystem will continue to be a target; resource-exhaustion attacks are cheap to execute and hard to prevent through signature-based defenses. Keeping Windows servers on a current build is the most reliable defense. If you manage any Windows web infrastructure, the time to act is now—before the inevitable exploit scripts start circulating.