CVE-2026-49787: Install KB5101650 to Fix Windows HTTP.sys DoS

Microsoft has patched CVE-2026-49787, a remotely reachable denial-of-service vulnerability in Windows HTTP.sys that can let an unauthenticated attacker exhaust system resources. The flaw carries a CVSS 3.1 score of 7.5 and affects supported Windows client and server releases, including Windows 11 24H2 and 25H2, Windows Server 2022, and Windows Server 2025.
Detailed in Microsoft’s Security Update Guide on July 14, 2026, the vulnerability stems from “allocation of resources without limits or throttling” in HTTP.sys. The National Vulnerability Database classifies the underlying weakness as CWE-770 and confirms that exploitation can occur over a network with low complexity, without privileges or user interaction.
That combination makes the July cumulative updates a priority for administrators running IIS, Windows-hosted web applications, or other services that depend on the Windows HTTP protocol stack. Although CVE-2026-49787 does not provide code execution or data access, a successful attack could make an exposed service unavailable.

Cybersecurity graphic showing a Windows Server under HTTP flood, critical resource usage, and a security patch alert.HTTP.sys Puts the Vulnerability Below IIS​

HTTP.sys is the kernel-mode Windows driver that processes HTTP traffic for IIS and other applications using Windows HTTP server APIs. It can accept and route requests before they reach application code, which means a weakness in the driver is not confined to a particular website, framework, or IIS worker process.
Microsoft describes CVE-2026-49787 as an availability-only vulnerability. Its CVSS vector records no confidentiality or integrity impact, but assigns a high availability impact. In practical terms, the expected outcome is disruption or resource exhaustion rather than installation of malware, theft of credentials, or direct remote control of the server.
The network attack vector is nevertheless important. An attacker does not need an existing Windows account, administrative rights, or help from a logged-in user. Microsoft’s CVSS assessment also marks attack complexity as low, indicating that successful exploitation does not depend on unusually complicated preparation or race conditions.
CISA’s initial SSVC data lists exploitation as “none” as of July 14, while describing the attack as automatable. That is not evidence that attacks cannot occur; it means there was no known exploitation in the data available immediately after publication. Microsoft’s report-confidence rating is confirmed, reflecting vendor acknowledgement and sufficient technical confidence in the vulnerability’s existence.
The result is a flaw that sits below the threshold of a critical remote-code-execution emergency but above the level administrators should leave for an indefinite maintenance window. Internet-facing HTTP.sys systems are the clearest priority, particularly where repeated interruption would affect authentication services, APIs, management portals, or customer-facing applications.

The Affected Range Reaches Back to Windows Server 2016​

Microsoft’s affected-product data covers a broad span of Windows versions. Client systems are included because HTTP.sys is an operating-system component, even though the highest practical exposure is likely to be found on systems actively accepting HTTP or HTTPS connections.
Affected releases and their corrected build boundaries include:
  • Windows 10 version 1607 and Windows Server 2016 are affected below build 14393.9339.
  • Windows 10 version 1809 and Windows Server 2019 are affected below build 17763.9020.
  • Windows 10 version 21H2 is affected below build 19044.7548.
  • Windows 10 version 22H2 is affected below build 19045.7548.
  • Windows 11 version 24H2 is affected below build 26100.8875.
  • Windows 11 version 25H2 is affected below build 26200.8875.
  • Windows 11 version 26H1 is listed as affected below build 28000.2269.
  • Windows Server 2022 is affected below build 20348.5386.
  • Windows Server 2025 is affected below build 26100.33158.
Both full Windows Server installations and the listed Server Core editions are affected. Server Core therefore does not remove the exposure when HTTP.sys-backed services are present; its reduced graphical footprint is not a substitute for updating the protocol stack.
For current Windows 11 systems, Microsoft delivered KB5101650 on July 14, moving Windows 11 24H2 to OS build 26100.8875 and Windows 11 25H2 to build 26200.8875. Microsoft says it is not currently aware of issues with that cumulative update.
Windows Server 2022 receives the fix through KB5099540, which advances the operating system to build 20348.5386. Windows 10 version 1809 and Windows Server 2019 reach build 17763.9020 through KB5099538.
Windows 11 26H1 is an unusual entry in the product data. Microsoft lists build 28000.2269 as the fixed boundary, corresponding to the June 9 KB5095051 update, while the July 14 cumulative update KB5101649 moves 26H1 to build 28000.2525. Administrators should use the current July build rather than treating the older minimum boundary as the recommended deployment target.

Patch Validation Matters More Than an IIS Version Check​

Because the vulnerability resides in Windows HTTP.sys, checking the IIS version alone will not establish whether a machine is protected. The decisive measurement is the Windows OS build and the successful installation of the applicable cumulative security update.
Administrators should first identify systems that expose HTTP.sys listeners, then compare their builds against Microsoft’s fixed boundaries. IIS servers are obvious candidates, but inventories should also include Windows services, management products, development tools, and custom applications that register HTTP endpoints through Windows APIs.
Useful checks include reviewing installed updates through PowerShell, querying the OS build with winver or Get-ComputerInfo, and inspecting HTTP service registrations with netsh http show servicestate. Reverse proxies and load balancers may reduce direct exposure, but they should not be treated as a complete mitigation unless they reliably prevent the resource-exhaustion condition from reaching HTTP.sys.
A staged rollout remains sensible because July’s cumulative updates contain changes beyond CVE-2026-49787. Microsoft’s Windows Server 2022 release notes, for example, warn that a limited set of machines with an unrecommended BitLocker PCR7 Group Policy configuration may request the recovery key after the first restart. The same update also introduces transport-driver-interface hardening that can affect applications using sockets over unregistered third-party TDI transports.
Those deployment considerations justify testing, not postponement. Administrators can prioritize externally reachable web servers, reverse-proxy back ends, API hosts, and high-availability nodes, followed by internal HTTP.sys systems and client devices. Clustered services should be patched node by node where the architecture permits, with monitoring focused on request handling, memory consumption, CPU utilization, and service restarts.

Denial of Service Is the Entire Security Boundary Here​

CVE-2026-49787 should not be described as a path to remote code execution. Microsoft’s scoring records no direct effect on confidentiality or integrity, and the published weakness concerns uncontrolled resource allocation rather than memory corruption.
That narrower impact does not make the vulnerability harmless. Availability failures can become security incidents when they disable identity infrastructure, monitoring consoles, update systems, web gateways, or operational applications. Repeated exploitation may also complicate incident response by resembling an application fault, traffic surge, or capacity problem.
The early record does not identify public exploit code or observed attacks, and the National Vulnerability Database was still undergoing enrichment shortly after publication. Technical details may therefore expand as researchers analyze the update and compare patched HTTP.sys binaries with earlier versions.
For now, the actionable line is clear: Windows systems below the applicable fixed build remain exposed to a low-complexity, unauthenticated network denial-of-service condition. Installing the July 14 cumulative updates—and verifying the resulting OS build—is the concrete remediation for CVE-2026-49787.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top