TL;DR: CVE-2026-49160, nicknamed the "HTTP/2 Bomb," is a Windows HTTP.sys denial-of-service zero-day patched in the June 10, 2026 Patch Tuesday (CVSS 7.5). Tiny crafted HTTP/2 requests force the server to allocate disproportionately large amounts of memory; flow-control manipulation keeps the memory pinned, starving the service. For NC SMBs running IIS, Exchange OWA, Remote Desktop Gateway, or any HTTP.sys-based service on the internet, an attacker with negligible bandwidth can knock the service offline. The fix is the patch plus a new MaxHeadersCount registry knob plus a Cloudflare-grade WAF in front of any public endpoint.
Key takeaway: HTTP/2 Bomb is the rare DoS that an attacker can launch from a single laptop and a basic uplink. NC SMBs depending on IIS or OWA for revenue (e-commerce, customer portals, scheduling) need both the patch and an upstream WAF, not one or the other.
Worried that a competitor or extortionist could knock your portal offline? Preferred Data Corporation runs managed Windows server patching, IIS hardening, and Cloudflare WAF for NC small businesses. Call (336) 886-3282 or request a web exposure review.
What is CVE-2026-49160 and how does the HTTP/2 Bomb work?
It is a Windows HTTP.sys denial-of-service vulnerability that abuses HTTP/2's header compression and flow-control features to force a server to allocate large amounts of memory from very small attacker requests. Per Tenable and BleepingComputer, the attack chain is:
- Attacker opens an HTTP/2 connection to a vulnerable HTTP.sys-fronted service (IIS, OWA, RDGW, custom .NET apps).
- Attacker sends compressed headers that decompress to disproportionately large structures inside HTTP.sys memory.
- Attacker manipulates HTTP/2 flow-control settings so the server cannot reclaim the allocated memory.
- Repeating the pattern with negligible bandwidth pins so much memory that the service slows, errors, or crashes.
Three reasons this matters to an NC SMB:
- Publicly disclosed before patch. Per BleepingComputer, CVE-2026-49160 was disclosed publicly ahead of the June 10, 2026 patch by researchers Quang Luong and Codex at Calif. Public disclosure means PoC details are circulating; exploitation tooling will follow within days.
- Low attacker cost. Unlike volumetric DDoS, HTTP/2 Bomb does not need a botnet. A single laptop on a residential connection has enough bandwidth to take down a typical SMB IIS server. That is a meaningful change in attacker economics.
- Wide HTTP.sys exposure. HTTP.sys sits behind IIS, Exchange OWA, Remote Desktop Gateway, the Windows Web Application Proxy, WSUS, RD Web Access, .NET HTTP listeners, and many third-party services that use HttpListener. Every one of those is in scope on an unpatched server.
For an NC small business running an online customer portal, an Exchange OWA endpoint for remote email, an RD Gateway for plant-floor laptops, or a Windows-hosted e-commerce site, the asset surface is wider than most owners realize.
Why is HTTP/2 amplification different from a traditional DDoS?
Because the cost ratio favors the attacker. Traditional volumetric DDoS requires the attacker to push enough bandwidth to exceed the target's pipe. HTTP/2 Bomb requires only enough requests to trigger memory allocation faster than the server can reclaim it. Per Security Boulevard's analysis, the new MaxHeadersCount registry setting Microsoft shipped is the structural mitigation; it caps how many headers any single HTTP/2 request can carry, regardless of compression ratio.
| Attack dimension | Traditional volumetric DDoS | HTTP/2 Bomb (CVE-2026-49160) |
|---|---|---|
| Attacker bandwidth needed | Gigabits per second | Megabits per second |
| Attacker infrastructure | Botnet | Single laptop |
| Target exhaustion vector | Bandwidth | Memory |
| Upstream WAF effective? | Often yes | Yes, if it inspects HTTP/2 headers |
| Patch-only fix? | No | Yes for the disclosed path |
| Defense-in-depth needed | Always | Yes (WAF + patch + MaxHeadersCount) |
Which NC SMB services are exposed to HTTP/2 Bomb?
Any service backed by Windows HTTP.sys on the internet. The list is longer than most SMB owners realize. The five most common NC SMB exposures:
- IIS hosting customer portals or e-commerce. Most NC SMB online order forms, customer dashboards, and marketing sites running on Windows are IIS / HTTP.sys.
- Exchange OWA / Outlook on the Web. Per Tenable's June 2026 analysis, Exchange has been a recurring Patch Tuesday target; OWA on the internet is HTTP.sys-fronted.
- Remote Desktop Gateway (RDGW). NC manufacturers and distributors with remote plant-floor access often expose RDGW; it sits on HTTP.sys.
- WSUS and Windows Server Update Services internet listeners. Where exposed, they are HTTP.sys.
- Custom .NET HTTP listeners. Any in-house tool that uses HttpListener is in scope.
For an NC manufacturer in High Point with a customer portal, a distributor in Greensboro with an EDI gateway, or a professional services firm in Charlotte with a client login site, every one of these is a candidate target.
What does an HTTP/2 Bomb outage cost an NC small business?
It costs revenue, customer trust, and SLA penalties. For a typical NC SMB, every hour of customer-portal downtime translates to documented lost orders, missed support windows, and missed deliveries. For e-commerce, Akamai's State of the Internet research documents that even brief web outages produce abandoned-cart and abandoned-session impacts that persist after recovery.
A realistic NC SMB outage scenario:
- Attacker launches HTTP/2 Bomb against an NC SMB customer portal at 9 AM on a weekday.
- IIS memory climbs; the portal slows, then errors, then crashes.
- The SMB's in-house IT lead spends 90 minutes reproducing the issue, blaming traffic, restarting services.
- By the time the team identifies HTTP/2 Bomb as the cause and applies mitigations, four hours of business have been lost.
- Customer support fields complaints for the next 24-48 hours.
Quotable definition: HTTP/2 Bomb (CVE-2026-49160) is a Windows HTTP.sys denial-of-service vulnerability that uses HTTP/2 header compression and flow control to allocate disproportionately large amounts of server memory from very small attacker requests, knocking IIS, Exchange OWA, and Remote Desktop Gateway services offline with minimal bandwidth.
What should an NC small business do this week?
Run a three-step plan. The first step is mandatory; the second and third are defense-in-depth for any SMB whose revenue runs through a public web endpoint.
- Apply the June 10, 2026 cumulative update on every Windows server with HTTP.sys exposure (this week). Push the patch through your RMM or WSUS. Verify against Microsoft's Security Update Guide for the build numbers per Windows Server 2022, 2025, and Windows 11 builds.
- Set the MaxHeadersCount registry value on every internet-exposed service (this week). Per Security Boulevard, the new registry setting caps the number of HTTP/2 / HTTP/3 request headers HTTP.sys will accept. This is the structural mitigation that survives any future variant.
- Put a WAF in front of every public HTTP endpoint (this month). Cloudflare, Akamai, or Azure Front Door inspect HTTP/2 traffic before it reaches the origin. A WAF policy that enforces sane header counts, request rates, and HTTP/2 frame budgets blocks the variant attacks that come next.
Key takeaway: Patch + registry mitigation + upstream WAF = a three-layer defense that survives the variant CVEs that always follow a publicly disclosed amplification class. Any one layer alone leaves residual risk.
How does Preferred Data Corporation help close HTTP/2 Bomb for NC SMBs?
PDC runs managed Windows server patching, IIS hardening, and Cloudflare-grade WAF deployments for NC small businesses. We bring three things to the HTTP/2 Bomb response:
- Managed cybersecurity services: Land the June 10, 2026 cumulative update on every HTTP.sys-fronted server in the fleet, set MaxHeadersCount fleet-wide, and confirm with synthetic HTTP/2 health checks.
- Network and infrastructure: Deploy and manage a WAF in front of every public NC SMB web endpoint, with HTTP/2 frame budgets, rate limits, and bot management tuned to the customer's traffic baseline.
- Managed IT services: Public-facing service inventory, IIS / OWA / RDGW posture reviews, and quarterly resilience tests against the latest disclosed attack classes.
For NC manufacturers in High Point and the Piedmont Triad with customer portals, NC distributors in Greensboro and Winston-Salem with EDI gateways, and NC professional services firms in Charlotte and Raleigh with client login sites, HTTP/2 Bomb is the kind of issue a managed program closes inside the same week it lands.
Ready to harden your NC public web endpoints? Call (336) 886-3282 or book a web exposure review.
Frequently Asked Questions
What is the CVSS score of CVE-2026-49160?
Per Tenable's June 2026 Patch Tuesday analysis, CVE-2026-49160 carries a CVSS v3 base score of 7.5 with an "Exploitation More Likely" assessment from Microsoft. The vulnerability is a denial-of-service issue in Windows HTTP.sys exploitable over the network without authentication or user interaction.
Which Windows services are vulnerable to the HTTP/2 Bomb?
Any service backed by HTTP.sys, which includes Microsoft IIS, Exchange Server OWA, Remote Desktop Gateway, Web Application Proxy, WSUS internet listeners, RD Web Access, and any custom .NET application using HttpListener. Per BleepingComputer, the HTTP.sys component sits underneath all of these surfaces.
Does a WAF alone protect against HTTP/2 Bomb?
A modern HTTP/2-aware WAF (Cloudflare, Akamai, Azure Front Door) blocks the publicly disclosed attack pattern and most variants by inspecting HTTP/2 frames and capping header counts. A WAF is not a substitute for patching, but it is a strong defense-in-depth layer, especially while the patch is rolling out across a fleet.
What is the MaxHeadersCount registry setting?
Per Security Boulevard's coverage, the June 10, 2026 cumulative update adds a MaxHeadersCount registry value that lets administrators cap how many HTTP/2 or HTTP/3 request headers HTTP.sys will accept on a single request. It is the structural mitigation for the amplification class and should be configured on every internet-exposed service.
How fast does an NC SMB need to patch HTTP/2 Bomb?
Treat it as KEV-rate work even before CISA adds it: 48-72 hours for the patch and the MaxHeadersCount registry value, inside the same week for the WAF policy. Public disclosure plus a single-laptop attack profile produces fast weaponization windows.
What if our SMB does not run any internet-exposed IIS?
The risk drops sharply but does not go to zero. Internal HTTP.sys services (intranet portals, internal WSUS, internal RDGW) can be attacked from a compromised endpoint inside the network. The patch should still land everywhere; the MaxHeadersCount and WAF steps are only required for internet-exposed services.
Related Resources
- Managed Cybersecurity Services for NC Businesses - HTTP/2 hardening, KEV-rate patching, managed EDR
- Network and Infrastructure Services - WAF deployment, public-endpoint resilience
- Managed IT Services for NC Businesses - Windows server patching and IIS support
- Microsoft June 2026 Patch Tuesday: 200 CVEs and 3 Zero-Days - Companion overview of the full release
- YellowKey BitLocker CVE-2026-50507 NC SMB Laptop Defense - Companion deep-dive on the BitLocker bypass
- Contact Preferred Data Corporation - Web exposure review for NC SMBs