Internet Information Services Memory Allocation with Excessive Size Value Vulnerability (CVE-2026-49975)
Description
A memory exhaustion vulnerability in Microsoft IIS's HTTP/2 implementation (http.sys) allows a remote unauthenticated attacker to cause denial of service via crafted HTTP/2 requests combining HPACK header decompression amplification with flow-control stalling. A single connection can exhaust server RAM within seconds and causes a persistent kernel memory leak requiring a full reboot to recover. IIS 10.0 on Windows Server 2025 is confirmed vulnerable; Windows Server 2016, 2019, and 2022 are potentially affected. No patch is currently available.