Full Report
Microsoft's October Windows 11 updates have broken the "localhost" functionality, making applications that connect back to 127.0.0.1 over HTTP/2 no longer function properly. [...]
Analysis Summary
# Vulnerability: Windows 11 Updates Breaking Localhost HTTP/2 Connections
## CVE Details
- CVE ID: N/A (This appears to be a regression/bug introduced via update, not a traditionally tracked security vulnerability)
- CVSS Score: N/A
- CWE: N/A (Functionality breakage due to update)
## Affected Systems
- Products: Windows 11 (Specific Builds 24H2 and 25H2 affected by updates)
- Versions: Systems running Windows 11 after installation of specific updates.
- Configurations: Applications utilizing HTTP/2 connections to the `127.0.0.1` (localhost) loopback address.
## Vulnerability Description
Microsoft's October 2025 Windows 11 Cumulative Update (KB5066835) and September 2025 Preview Update (KB5065789) introduced a regression that breaks the ability for applications to establish HTTP/2 connections to the local loopback interface (`127.0.0.1` or localhost). Affected connections result in errors such as `ERR_CONNECTION_RESET` or `ERR_HTTP2_PROTOCOL_ERROR`. This impacts development tools (like Visual Studio debugging) and security applications relying on local services (e.g., Duo Desktop authentication).
## Exploitation
- Status: Not applicable / Functional Degradation (Not a security vulnerability being exploited, but a bug impacting application functionality)
- Complexity: Not applicable (Issue is triggered by OS update)
- Attack Vector: Local/Application Interaction
## Impact
- Confidentiality: Negligible (Functionality issue)
- Integrity: Potential (If local services relying on the connection fail to complete actions)
- Availability: High (Critical applications fail to communicate locally)
## Remediation
### Patches
The primary remediation is uninstalling the offending updates:
- Uninstall KB5066835 (October 2025 Update)
- Uninstall KB5065789 (September 2025 Preview Update)
### Workarounds
1. **Registry Modification (Partial/Unconfirmed Fix):** Attempting to disable HTTP/2 by setting the following registry keys (note: users report this does not solve the issue for everyone):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS\Parameters]
"EnableHttp2"=dword:00000000
"EnableHttp2OverTls"=dword:00000000
2. **Defender Intelligence Update (Unconfirmed Fix):** Some users suggested installing the latest Microsoft Defender intelligence update.
## Detection
- Indicators of compromise: Applications throwing connection errors when targeting `localhost` or `127.0.0.1` via HTTP/2/HTTPS (e.g., `ERR_CONNECTION_RESET`).
- Detection methods and tools: Monitoring application logs for HTTP connection failures specifically tied to the loopback address immediately following OS updates.
## References
- Vendor advisory (Duo Support Bulletin): help://help.duo.com/s/article/9527?language=en_US
- KB5066835 Support Link: support.microsoft.com/en-us/topic/october-14-2025-kb5066835-os-builds-26200-6899-and-26100-6899-1db237d8-9f3b-4218-9515-3e0a32729685
- KB5065789 Support Link: support.microsoft.com/en-us/topic/september-29-2025-kb5065789-os-builds-26200-6725-and-26100-6725-preview-fa03ce47-cec5-4d1c-87d0-cac4195b4b4e