Skip to main content

Microsoft CVE-2026-33096

| EUVDEUVD-2026-22617 HIGH
Out-of-bounds Read (CWE-125)
2026-04-14 microsoft
7.5
CVSS 3.1 · NVD
Temporal: 6.5
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CIRCL (temporal)
6.5 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:23 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22617
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:57 nvd
HIGH 7.5

DescriptionCVE.org

Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to deny service over a network.

AnalysisAI

Denial of service in Windows HTTP.sys kernel-mode driver allows unauthenticated remote attackers to crash affected systems via malformed HTTP requests. Affects all currently supported Windows 11 versions (22H2 through 26H1) and Windows Server 2022/2025 editions. The vulnerability stems from an out-of-bounds read (CWE-125) triggered when HTTP.sys processes specially crafted network packets without authentication (CVSS AV:N/PR:N). Vendor-released patches available for all affected versions with specific build numbers identified. No public exploit identified at time of analysis, though low attack complexity (AC:L) suggests straightforward exploitation once technical details emerge.

Technical ContextAI

HTTP.sys is a Windows kernel-mode driver responsible for processing HTTP requests before they reach user-mode web applications like IIS. This out-of-bounds read (CWE-125) occurs when HTTP.sys parses malformed HTTP protocol data, causing the driver to read memory beyond allocated buffer boundaries. Unlike typical buffer overflows that enable code execution, out-of-bounds reads in kernel-mode drivers typically trigger system crashes (BSOD) when invalid memory is accessed, resulting in high availability impact. The vulnerability exists across the HTTP.sys implementation in Windows 11 builds 10.0.22631 through 10.0.28000 and Windows Server 2022/2025 builds 10.0.20348 through 10.0.26100, indicating a persistent flaw in the HTTP protocol parsing logic across multiple kernel generations.

RemediationAI

Apply Microsoft-released security updates immediately to patch the HTTP.sys vulnerability. Update Windows 11 version 22H2/23H2 to build 10.0.22631.6936 or later, Windows 11 version 24H2 to build 10.0.26100.32690 or later, Windows 11 version 25H2 to build 10.0.26200.8246 or later, Windows 11 version 26H1 to build 10.0.28000.1836 or later, Windows Server 2022 to build 10.0.20348.5020 or later, Windows Server 2022 23H2 Edition to build 10.0.25398.2274 or later, and Windows Server 2025 editions to build 10.0.26100.32690 or later. Patches are distributed through Windows Update and Microsoft Update Catalog. For systems that cannot be immediately patched, consider network-level controls to restrict HTTP/HTTPS traffic to trusted sources only, though this is not a substitute for patching. Prioritize internet-facing web servers and critical availability systems. Full remediation guidance available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33096.

Share

CVE-2026-33096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy