A recent security advisory details HTTP/2 request smuggling vectors in ASP.NET Core runtimes prior to the May 2026 cumulative update. The flaw allows an attacker to craft requests that bypass proxy or load-balancer boundaries, leading to cache poisoning or unauthorized endpoint access on production sites.

Sites running on Windows Server with IIS and older .NET 9 or early .NET 10 builds are exposed. The advisory emphasizes that default Kestrel and IIS configurations do not fully mitigate the issue without additional hardening.

Immediate action requires upgrading to the current .NET 10 servicing release and applying targeted IIS request filtering rules. This post outlines the affected components and the exact configuration changes needed.

#Vulnerability Overview

The issue stems from inconsistent handling of HTTP/2 pseudo-headers and content-length fields when requests traverse IIS and the ASP.NET Core module. Malformed frames can cause the server to interpret a single client request as multiple backend requests.

#Who Is Affected

  • ASP.NET Core 9.0 and earlier 10.0 preview builds hosted on IIS
  • Applications behind reverse proxies that forward HTTP/2 without header normalization
  • Sites accepting untrusted client connections on port 443

#Mitigation Steps

Apply the May 2026 .NET 10 update first. Then add the following request filtering rules to the IIS configuration.

xml 
<system.webServer>
  <security>
    <requestFiltering>
      <verbs allowUnlisted="false">
        <add verb="GET" allowed="true" />
        <add verb="POST" allowed="true" />
      </verbs>
    </requestFiltering>
  </security>
</system.webServer>
  • Enable Kestrel's new StrictHttp2Validation option in Program.cs
csharp 
builder.WebHost.ConfigureKestrel(options =>
{
    options.Limits.Http2.StrictHttp2Validation = true;
});

#Verification and Monitoring

After deployment, use the built-in IIS failed request tracing to log any HTTP/2 frame anomalies. Review logs weekly for repeated content-length mismatches from the same client IP ranges.

Update all production workloads to the latest .NET 10 patch and retest proxy configurations. These steps close the reported vector and restore expected request isolation on Windows Server hosts.