Microsoft flags IIS bug that could trigger 100% CPU usage

On Thursday (Feb.21st), The Microsoft Security Response Center published a security advisory about a denial of service (DOS) issue that is affecting its Microsoft web server technology, IIS (Internet Information Services).

According to Microsoft, all IIS servers running Windows Server 2016 and Windows 10 are affected by this vulnerability when processing HTTP/2 requests.

HTTP/2 is the latest version of the HTTP protocol.

CPU Usage

Microsoft says in its ADV190005 security advisory that there are circumstances in which IIS servers processing HTTP/2 can “cause the system CPU usage to spike to 100% until the malicious connections are killed by IIS.”

The issue was discovered by software engineer, Gal Goldshtein, with F5 Networks. Other than Microsoft’s ADV190005 advisory, there are no other public details about this vulnerability.

“The HTTP/2 specification allows clients to specify any number of SETTINGS frames with any number of SETTINGS parameters. In some situations, excessive settings can cause services to become unstable and may result in a temporary CPU usage spike until the connection timeout is reached and the connection is closed,” the security alert said.

The Redmond-based OS maker addressed the issue by adding “the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request,” which could be handled by an IIS server.


After patching their systems with cumulative updates KB4487006, KB4487011, Kb4487021, and KB4487029, Microsoft said administrators can modify the HTTP/2 settings threshold and prevent the bug from blocking IIS web services.

“Thresholds must be defined by the IIS administrator,” the company said, “they are not preset by Microsoft”.

Microsoft advised users to install a February ‘non-security update’ and to review the ‘Knowledge Base Article 4491420.’


Related Posts