CVE-2026-33096 · HTTP.sys Denial of Service Vulnerability

Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to deny service over a network.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might help in your situation: Caution Follow these steps carefully. Serious problems might occur if you modify the registry incorrectly. To disable HTTP/3, remove the following registry values from the specified key: Open Registry Editor (regedit.exe). Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters. Back up the key: select Parameters, then select File > Export, and save the .reg file to a secure location. If present, delete the EnableHttp3 value. If present, delete the EnableAltSvc value. Restart the device after making these changes. After the restart, all http.sys-based server applications on that device will no longer serve HTTP/3 clients. Note: If either value is not present, no change is required for that value. Restore: To undo this change, double-click the exported .reg file (or in Registry Editor, select File > Import) to restore the previous settings. After you install the security update, you no longer need this mitigation.