Internet Information Services Memory Allocation with Excessive Size Value Vulnerability - CVE-2026-49975

A memory exhaustion vulnerability in Microsoft IISs HTTP/2 implementation (http.sys) allows a remote unauthenticated attacker to cause denial of service via crafted HTTP/2 requests combining HPACK header decompression amplification with flow-control stalling. A single connection can exhaust server RAM within seconds and causes a persistent kernel memory leak requiring a full reboot to recover. IIS 10.0 on Windows Server 2025 is confirmed vulnerable Windows Server 2016 2019 and 2022 are potentially affected. No patch is currently available.