Endpoint Vulnerability

Microsoft: HTTP/2 Server Denial of Service Vulnerability


A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. To exploit this vulnerability, an unauthenticated attacker could send a specially crafted HTTP packet to a target system, causing the affected system to become nonresponsive. The update addresses the vulnerability by modifying how the Windows HTTP protocol stack handles HTTP/2 requests. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate user rights.

Affected Products

Windows 10,Windows Server 2016,Windows Server, version 1803 (Server Core Installation),Windows Server, version 1903 (Server Core installation),Windows Server 2019