CVE-2026-49788
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-49788, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Microsoft Corporation

Description

Allocation of resources without limits or throttling in HTTP/2 allows an unauthorized attacker to deny service over a network.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49788 is a vulnerability related to the allocation of resources without limits or throttling in HTTP/2. This flaw allows an unauthorized attacker to send requests or manipulate network traffic in a way that consumes excessive resources on a targeted system.

HTTP/2 is a protocol used for web communication, and if resources like memory or processing power are not properly restricted, an attacker can exploit this to cause a denial of service (DoS). This means the system may become unresponsive or crash due to resource exhaustion.

Impact Analysis

This vulnerability can impact you in several ways:

  • Denial of Service (DoS): An attacker can exploit this flaw to make your web services or applications unavailable to legitimate users, leading to downtime and disruption of services.
  • Resource Exhaustion: The system may experience high CPU or memory usage, causing slow performance or crashes, which could affect other applications running on the same infrastructure.
  • Increased Operational Costs: If the attack targets cloud-based services, it could lead to unexpected resource consumption, resulting in higher costs for bandwidth or compute resources.
Compliance Impact

This vulnerability may impact compliance with common standards and regulations in the following ways:

  • GDPR (General Data Protection Regulation): While this vulnerability does not directly involve data breaches, prolonged service unavailability could violate GDPR's requirements for ensuring the availability and resilience of processing systems (Article 32). Organizations may face scrutiny if they fail to mitigate such risks.
  • HIPAA (Health Insurance Portability and Accountability Act): For healthcare organizations, a denial of service attack could disrupt access to critical patient data or systems, potentially violating HIPAA's Security Rule, which mandates the availability and integrity of electronic protected health information (ePHI).
  • Other Standards: Compliance frameworks like ISO 27001 or NIST SP 800-53 emphasize the need for protecting systems against availability threats. Failure to address this vulnerability could result in non-compliance with these standards.

However, the specific impact on compliance depends on the context of the affected system and the data it handles. Organizations should assess whether the vulnerability exposes them to regulatory risks based on their industry and applicable laws.

Detection Guidance

Detecting this vulnerability involves monitoring for unusual HTTP/2 traffic patterns that could indicate resource exhaustion attacks. Since the issue involves allocation of resources without limits or throttling, you can look for signs of excessive HTTP/2 connections or streams.

  • Use network monitoring tools like Wireshark to capture and analyze HTTP/2 traffic. Look for an unusually high number of concurrent streams or requests from a single source.
  • Check server logs for repeated HTTP/2 connection attempts or abnormal termination of connections due to resource limits.
  • Use command-line tools like netstat or ss to monitor active connections and identify potential flooding. Example command: netstat -antp | grep ':443' (for Linux systems).
  • For Windows systems, use Performance Monitor to track HTTP/2-related counters or Resource Monitor to observe network and memory usage spikes.

If your system or application provides HTTP/2-specific metrics, review them for anomalies in stream counts, memory usage, or connection durations.

Mitigation Strategies

To mitigate this vulnerability, apply the following steps to limit the impact of resource exhaustion attacks via HTTP/2.

  • Apply the latest security updates or patches provided by your software vendor. Refer to the Microsoft Security Update Guide for CVE-2026-49788 for specific patches.
  • Configure HTTP/2 settings to enforce limits on the number of concurrent streams, connection duration, or request rates. This can prevent resource exhaustion by throttling excessive requests.
  • Enable rate limiting or connection throttling at the network or application level to restrict the number of requests from a single source.
  • Use a Web Application Firewall (WAF) to filter malicious HTTP/2 traffic and block known attack patterns.
  • Monitor systems for signs of attack and set up alerts for unusual spikes in HTTP/2 traffic or resource usage.
  • Consider temporarily disabling HTTP/2 if patches are not immediately available and the risk is high. Fall back to HTTP/1.1 until the issue is resolved.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49788. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart