CVE-2026-49788: July 14 Updates Fix Windows HTTP/2 DoS

CVE-2026-49788 exposes supported Windows clients and servers to a remotely triggered HTTP/2 denial-of-service attack, with Microsoft shipping fixes in the July 14, 2026 security updates. Administrators responsible for HTTP/2-facing Windows systems should prioritize deployment because exploitation requires no authentication, privileges, or user interaction.
Detailed in the Microsoft Security Response Center’s Security Update Guide, the flaw carries a CVSS 3.1 base score of 7.5 High. Microsoft describes it as an uncontrolled resource-allocation problem: an attacker can send network traffic that causes the HTTP/2 implementation to consume resources without sufficient limits or throttling, eventually denying service.
The National Vulnerability Database classifies the underlying weakness as CWE-770, Allocation of Resources Without Limits or Throttling. Microsoft considers the vulnerability confirmed, but says it was not publicly disclosed or known to be exploited when the updates were released.

Cybersecurity analyst monitors malicious traffic, active protection, system alerts, and network security dashboards.A Network Attack Aimed Squarely at Availability​

The CVSS vector for CVE-2026-49788 is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. In practical terms, that means an attacker can reach the vulnerable component over a network, the attack has low complexity, and no valid account or cooperation from a user is required.
A successful attack is not described as exposing data or modifying system contents. Its impact is confined to availability, but Microsoft rates that impact as high: the targeted service can lose its ability to respond normally as resources are exhausted.
This distinction matters for incident planning. CVE-2026-49788 is not a remote-code-execution flaw that directly hands control of a server to an intruder, but an HTTP service that repeatedly becomes unavailable can still disrupt applications, APIs, authentication flows, management portals, and other infrastructure placed behind it.
CISA’s initial Stakeholder-Specific Vulnerability Categorization assessment lists no observed exploitation, while describing exploitation as automatable and the technical impact as partial. That combination suggests attackers could potentially repeat the technique broadly even though the published impact is service disruption rather than total host compromise.
Microsoft’s exploitability assessment says exploitation is less likely. That should affect prioritization relative to an actively exploited zero-day, but it is not a reason to defer patching internet-accessible servers indefinitely. The absence of reported attacks on July 14 does not establish that reliable exploit tooling will remain unavailable.

The Affected Windows Footprint Reaches Back to Server 2016​

Microsoft’s CVE record identifies a broad collection of Windows releases, including current Windows 11 editions, Windows 10 installations receiving applicable servicing, and supported Windows Server generations. Server Core installations are included where applicable, confirming that the vulnerable path is not dependent on the desktop user interface.
Affected releases and their fixed build thresholds include:
  • Windows 11 24H2 is fixed in OS Build 26100.8875, delivered through KB5101650.
  • Windows 11 25H2 is fixed in OS Build 26200.8875, also delivered through KB5101650.
  • Windows 11 26H1 requires an applicable serviced build at or above Microsoft’s listed fixed threshold.
  • Windows 10 21H2 and 22H2 are fixed in OS Builds 19044.7548 and 19045.7548 through KB5099539.
  • Windows Server 2016 is fixed in OS Build 14393.9339 through KB5099535.
  • Windows Server 2019 is fixed in OS Build 17763.9020 through KB5099538.
  • Windows Server 2022 is fixed in OS Build 20348.5386 through KB5099540.
  • Windows Server 2025 is fixed in OS Build 26100.33158 through KB5099536.
The presence of Windows 10 21H2 and 22H2 in the affected data does not mean every retired consumer installation has regained ordinary support. Microsoft’s July documentation associates KB5099539 with eligible Windows 10 ESU systems and supported Enterprise LTSC and IoT Enterprise LTSC releases. Administrators must therefore check edition, servicing channel, and Extended Security Updates eligibility rather than relying solely on the Windows version displayed by winver.
Windows Server deserves particular attention because it is more likely to run remotely reachable workloads and remain in service for long periods. Server 2016 and Server 2019 systems may also be subject to slower maintenance cycles, making accurate inventory and deployment reporting essential.
For Windows 11 24H2 and 25H2, KB5101650 is cumulative and raises systems to builds 26100.8875 and 26200.8875 respectively. Microsoft says it is not currently aware of issues specific to that update, although administrators should still review the complete July release because the same package introduces other networking and security changes.

HTTP/2 Exposure Is the Useful Prioritization Signal​

The affected-product list is broad, but the practical risk is not identical on every Windows endpoint. An ordinary workstation behind a stateful firewall does not present the same attack surface as a Windows Server host accepting untrusted HTTP/2 traffic from the internet.
The highest-priority systems are those running HTTP/2-capable web services, gateways, application endpoints, or reverse-proxy roles that can receive attacker-controlled requests. Administrators should also inspect configurations in which a load balancer passes HTTP/2 connections or request characteristics through to a Windows backend rather than fully terminating and normalizing the traffic upstream.
Network controls may reduce exposure, but they should not be treated as a substitute for the security update without product-specific validation. Rate limiting, connection limits, request filtering, and upstream resource protections can make resource-exhaustion attacks harder, yet Microsoft’s public description does not provide enough technical detail to guarantee that a particular proxy or firewall configuration blocks the vulnerable behavior.
The advisory does not identify data theft, privilege escalation, or code execution as outcomes. Even so, repeated availability loss can become a security incident when it prevents customers from reaching a service, interrupts administrative access, or causes dependent systems to fail.
Administrators should monitor for abnormal HTTP/2 connection volumes, unusual resource growth, service hangs, and repeated process recycling. Those signals are not proof of CVE-2026-49788 exploitation, but they can help distinguish routine application trouble from a deliberate resource-exhaustion attempt.

Patch Verification Matters More Than the Update Banner​

Because the fix arrives through cumulative Windows servicing, the clearest verification method is the installed OS build rather than merely confirming that Windows Update recently ran. Deployment tools should report the July build or a later superseding build across the relevant device groups.
On Windows 11 24H2 and 25H2, administrators should look for KB5101650 or later servicing and builds at least 26100.8875 or 26200.8875. Windows Server teams should similarly verify 14393.9339 for Server 2016, 17763.9020 for Server 2019, 20348.5386 for Server 2022, and 26100.33158 for Server 2025.
That check is particularly important for machines with pending restarts, failed cumulative updates, or servicing-stack problems. A management console may show that an update was approved or downloaded even though the vulnerable binaries remain active.
The July packages also contain changes beyond CVE-2026-49788. Microsoft’s release notes warn that applications using sockets over unregistered third-party Transport Driver Interface transports may stop working after the July 14 updates because Windows now enforces TDI transport registration requirements. Organizations with older networking, security, or communications software should test that compatibility change, but delaying the HTTP/2 fix on exposed servers leaves a remotely reachable denial-of-service path open.
For most environments, the operational decision is straightforward: deploy the July 14 cumulative update first to externally reachable and business-critical Windows web infrastructure, confirm the resulting build, and then complete the remaining supported estate. CVE-2026-49788 is a service-availability vulnerability, not a takeover bug, but its unauthenticated network attack path makes patch status—not report-confidence boilerplate—the metric that matters.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top