Skip to main content

Windows HTTP.sys CVE-2026-47291

| EUVDEUVD-2026-35501 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-06-09 secure@microsoft.com GHSA-392q-pc37-m552
9.8
CVSS 3.1 · NVD
Temporal: 8.5
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
8.5 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:57 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
CRITICAL 9.8

DescriptionNVD

Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.

AnalysisAI

Remote code execution in Microsoft Windows HTTP.sys allows unauthenticated network attackers to execute arbitrary code by triggering an integer overflow that leads to heap-based memory corruption. The flaw carries a CVSS 9.8 rating reflecting network reachability, no privileges, and no user interaction, and impacts the kernel-mode HTTP listener used by IIS and any Windows service relying on the HTTP Server API. No public exploit has been identified at the time of analysis and CISA KEV does not list it, but the wormable profile of HTTP.sys flaws warrants urgent patching.

Technical ContextAI

HTTP.sys is the Windows kernel-mode driver that parses and queues HTTP/HTTPS requests on behalf of IIS, WinRM, WSDAPI, SSDP, and various third-party services using the HTTP Server API. CWE-122 (Heap-based Buffer Overflow), triggered here through an integer overflow or wraparound in size calculations, occurs when arithmetic on a request-derived length wraps past INT_MAX or SIZE_MAX, causing a downstream allocation to be sized smaller than the data subsequently copied into it. Because HTTP.sys executes in kernel context (System), successful memory corruption typically yields SYSTEM-level code execution and is historically wormable, as seen in prior HTTP.sys issues such as CVE-2021-31166 and CVE-2022-21907.

RemediationAI

Apply the Microsoft security update referenced in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291) for each affected Windows build as the primary fix; an exact fix version was not provided in the input data, so consult the advisory for the specific KB articles per SKU. Where patching cannot be completed immediately, restrict inbound TCP/80 and TCP/443 to HTTP.sys-backed services using host or network firewalls, terminate TLS and HTTP parsing on a non-Windows reverse proxy in front of IIS so malformed requests never reach the kernel driver, and disable optional HTTP.sys features such as HTTP/2 or response caching if the advisory identifies them as the trigger surface - note that proxy fronting can break NTLM/Kerberos pass-through and disabling HTTP/2 will reduce performance for modern clients. Audit and disable any unused HTTP Server API consumers (WinRM, WSDAPI, SSDP) on servers that do not require them.

Share

CVE-2026-47291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy