CVE-2026-49160
published 2026-06-09CVE-2026-49160: Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.97%
57.2th percentile
Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_1607 | < 10.0.14393.9234 | 10.0.14393.9234 |
| microsoft | windows_10_1809 | < 10.0.17763.8880 | 10.0.17763.8880 |
| microsoft | windows_10_21h2 | < 10.0.19044.7417 | 10.0.19044.7417 |
| microsoft | windows_10_22h2 | < 10.0.19045.7417 | 10.0.19045.7417 |
| microsoft | windows_10_version_1607 | >= 10.0.14393.0 < 10.0.14393.9234 | 10.0.14393.9234 |
| microsoft | windows_10_version_1809 | >= 10.0.17763.0 < 10.0.17763.8880 | 10.0.17763.8880 |
| microsoft | windows_10_version_21h2 | >= 10.0.19044.0 < 10.0.19044.7417 | 10.0.19044.7417 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.7417 | 10.0.19045.7417 |
| microsoft | windows_11_23h2 | < 10.0.22631.7219 | 10.0.22631.7219 |
| microsoft | windows_11_24h2 | < 10.0.26100.8655 | 10.0.26100.8655 |
| microsoft | windows_11_25h2 | < 10.0.26200.8655 | 10.0.26200.8655 |
| microsoft | windows_11_26h1 | < 10.0.28000.2269 | 10.0.28000.2269 |
| microsoft | windows_11_version_23h2 | >= 10.0.22631.0 < 10.0.22631.7219 | 10.0.22631.7219 |
| microsoft | windows_11_version_24h2 | >= 10.0.26100.0 < 10.0.26100.8655 | 10.0.26100.8655 |
| microsoft | windows_11_version_25h2 | >= 10.0.26200.0 < 10.0.26200.8655 | 10.0.26200.8655 |
| microsoft | windows_11_version_26h1 | >= 10.0.28000.0 < 10.0.28000.2269 | 10.0.28000.2269 |
| microsoft | windows_server_2016 | < 10.0.14393.9234 | 10.0.14393.9234 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.9234 | 10.0.14393.9234 |
| microsoft | windows_server_2019 | < 10.0.17763.8880 | 10.0.17763.8880 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.8880 | 10.0.17763.8880 |
| microsoft | windows_server_2022 | < 10.0.20348.5256 | 10.0.20348.5256 |
| microsoft | windows_server_2022 | >= 10.0.20348.0 < 10.0.20348.5256 | 10.0.20348.5256 |
| microsoft | windows_server_2025 | < 10.0.26100.32995 | 10.0.26100.32995 |
| microsoft | windows_server_2025 | >= 10.0.26100.0 < 10.0.26100.32995 | 10.0.26100.32995 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.
ghsa_unreviewed·2026-06-09
CVE-2026-49160 [HIGH] CWE-400 Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.
Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.
VulDB
Microsoft Windows up to Server 2025 HTTP.sys resource consumption
vuldb·2026-06-09·CVSS 7.5
CVE-2026-49160 [HIGH] Microsoft Windows up to Server 2025 HTTP.sys resource consumption
A vulnerability labeled as critical has been found in Microsoft Windows. This affects an unknown part in the library HTTP.sys. Executing a manipulation can lead to resource consumption.
This vulnerability appears as CVE-2026-49160. The attack may be performed from remote. There is no available exploit.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
Tenable
Improving precision in CTEM: How continuous controls validation in Tenable One transforms exposure management
blogs_tenable·2026-06-16
CVE-2026-49160 Improving precision in CTEM: How continuous controls validation in Tenable One transforms exposure management
## Improving precision in CTEM: How continuous controls validation in Tenable One transforms exposure management
Discover how continuous control validation in Tenable One can improve your CTEM program by filtering out alert noise and factoring in your active cyber defenses. Focus your team on accessible and exploitable attack paths.
Key takeaways:
With vulnerability exploitation ranking as the top initial access vector and frontier AI accelerating vulnerability discovery, organizations must shift from managing theoretical cyber risks to validating actual, accessible exposure.
Tenable One maps active security controls including EDR, MFA, and firewalls directly onto potential attack paths, allowing teams to automatically deprioritize weaknesses that existing defenses already neutralize.
Hackernews
Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
blogs_hackernews·2026-06-10·CVSS 9.1
CVE-2025-10263 [CRITICAL] Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
Microsoft on Tuesday released fixes for a record 206 security vulnerabilities impacting its software portfolio, including three flaws that have been publicly disclosed at the time of release.
Of the 206 flaws, 39 are rated Critical, and 167 are rated Important in severity. This includes 63 privilege escalation, 56 remote code execution, 30 information disclosure, 27 spoofing, 20 security feature bypass, seven denial-of-service, and three tampering vulnerabilities.
The patches also include two non-Microsoft CVEs, a privilege escalation vulner
Krebs
A Record-Breaking Patch Tuesday for June 2026
blogs_krebs·2026-06-09·CVSS 7.8
CVE-2026-49160 [HIGH] A Record-Breaking Patch Tuesday for June 2026
Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company’s monthly Patch Tuesday cycle. Nearly three dozen of those bugs earned Microsoft’s most dire “critical” rating, and exploit code for at least three of the weaknesses is now publicly available.
The software giant said in a blog post last month that both its engineers and the security community are increasing using artificial intelligence tools to find bugs, meaning this month’s heavy Patch Tuesday may start to become the norm, said Satnam Narang , senior staff research engineer at Tenable .
“Some surveys put AI usage among security professionals generally at 90%, so it’s unsurprising that this volume of patches ma
Tenable
Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507)
blogs_tenable·2026-06-09·CVSS 9.1
CVE-2026-49160 [CRITICAL] Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507)
## Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507)
32 Critical
166 Important
0 Moderate
0 Low
Microsoft addresses 198 CVEs in the largest Patch Tuesday release, including three zero-days.
Microsoft patched 198 CVEs in its June 2026 Patch Tuesday release, with 32 rated critical and 166 rated as important. Our counts omitted 6 CVEs that were already addressed by Microsoft via servicing and do not require additional customer action to resolve as well as 2 CVEs that were disclosed by other CNAs (CVE-2025-10263 and CVE-2026-8863). This Patch Tuesday release is the largest release since the Patch Tuesday program began, smashing the previous record of 167 CVEs in the October 2025 Patch Tuesday release.
This month’s update includes patches for:
.NET
Qualys
Microsoft and Adobe Patch Tuesday, June 2026 Security Update Review
blogs_qualys·2026-06-09
CVE-2026-49160 Microsoft and Adobe Patch Tuesday, June 2026 Security Update Review
## Table of Contents
Microsoft Patch Tuesday forJune2026
Adobe Patch for June 2026
Zero-dayVulnerabilities Patched in June Patch Tuesday Edition
Critical Severity Vulnerabilities Patched inJunePatch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
EVALUATE Vendor-Suggested Mitigation with Policy Audit (PA)
Qualys Monthly Webinar Series
Every Patch Tuesday presents a race between defenders applying fixes and attackers seeking opportunities. Microsoft’s June 2026 release is no exception, delivering security updates for vulnerabilities that could significantly impact enterprise environments if left unaddressed.
## Microsoft Patch Tuesday for June 2026
This month’s release addresses 206 vulnerabilities, including 33 critical and 167 important-severi
Talos
Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
blogs_talos·2026-06-09·CVSS 8.8
CVE-2026-42985 [HIGH] Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for June 2026, which includes 206 vulnerabilities affecting a range of products, including 32 that Microsoft marked as “critical”.
Out of 32 "critical" entries, 28 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Windows Active Directory, Windows Kerberos Key Distribution Centre (KDC), Windows Graphics component, Windows Remote Desktop client, Windows Deployment Services (WDS), DHCP Client service, Windows Hyper-V, Windows Kernel and Media, Azure Kubernetes Service (AKS), Microsoft Office, Microsoft Outlook, Microsoft Word, Microsoft SQL server and Windows HTTP Protocol Stack.
Talos highlights 4 cr
Sans Isc
Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)
blogs_sans_isc·2026-06-09·CVSS 8.8
CVE-2026-49160 [HIGH] Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)
Microsoft June 2026 Patch Tuesday
Published: 2026-06-09. Last Updated: 2026-06-09 17:34:29 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Microsoft today released patches for 204 vulnerabilities. 38 of these vulnerabilities are considered critical, and three have been disclosed before today. Six of the vulnerabilities affect Microsoft cloud solutions and do not require any user action. In addition, Microsoft incorporated 360 different vulnerabilities affecting Chromium into its Edge browser.
This is certainly a busier-than-usual patch Tuesday. In particular, the large number of patched Chromium/Edge vulnerabilities underscores the impact of AI tools on vulnerability discovery.
Some noteworthy vulnerabilities:
CVE-2026-49160: This vulnerability was made public a week ago. As implem
Rapid7
Patch Tuesday - June 2026
blogs_rapid7·2026-06-09·CVSS 7.8
CVE-2026-33825 [HIGH] Patch Tuesday - June 2026
Microsoft is publishing 200 vulnerabilities on June 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild for any of these vulnerabilities, and is aware of public disclosure for three. This is similar to last month’s Patch Tuesday, however several of last month’s vulnerabilities ended up on CISA KEV in the days following their publication. So far this month, Microsoft has provided patches to address 360 browser vulnerabilities, which is an order of magnitude more than has been typical in any given month over the past few years. As usual, browser vulns are not included in the Patch Tuesday count above. Indeed, the vast, and presumably sustained, uptick in the number of browser vulnerabilities has led to Microsoft no longer enumerating Chromium CVEs in the Security Update G
Bleepingcomputer
Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws
blogs_bleepingcomputer·2026-06-09·CVSS 7.8
CVE-2026-45586 [HIGH] Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws
## Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws
## Lawrence Abrams
65 Elevation of Privilege Vulnerabilities
19 Security Feature Bypass Vulnerabilities
55 Remote Code Execution Vulnerabilities
30 Information Disclosure Vulnerabilities
7 Denial of Service Vulnerabilities
27 Spoofing Vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today.
Therefore, the number of flaws does not include flaws in Mariner, Azure HorizonDB, Microsoft Copilot, Copilot Chat, M365 Copilot, Microsoft Exchange Online, and Microsoft Graph that were fixed by Microsoft earlier this month.
There were also a massive 360 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded from this Patch
Crowdstrike
June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
blogs_crowdstrike
CVE-2026-45586 June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks Jun 09, 2026
June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days Jun 09, 2026
CrowdStrike and Zscaler Bring Continuous Identity to Zero Trust Access Jun 08, 2026
3 Principles to Safely Scale Agentic AI Jun 05, 2026
CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks Jun 09, 2026
June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days Jun 09, 2026
CrowdStrike and Zscaler Bring Continuous Identity to Zero Trust Access Jun 08, 2026
3 Principles to Safely Scale Agentic AI Jun 05, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Hel
2026-06-09
Published