Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
AnalysisAI
Remote code execution in Microsoft Windows HTTP.sys allows unauthenticated network attackers to execute arbitrary code by triggering an integer overflow that leads to heap-based memory corruption. The flaw carries a CVSS 9.8 rating reflecting network reachability, no privileges, and no user interaction, and impacts the kernel-mode HTTP listener used by IIS and any Windows service relying on the HTTP Server API. No public exploit has been identified at the time of analysis and CISA KEV does not list it, but the wormable profile of HTTP.sys flaws warrants urgent patching.
Technical ContextAI
HTTP.sys is the Windows kernel-mode driver that parses and queues HTTP/HTTPS requests on behalf of IIS, WinRM, WSDAPI, SSDP, and various third-party services using the HTTP Server API. CWE-122 (Heap-based Buffer Overflow), triggered here through an integer overflow or wraparound in size calculations, occurs when arithmetic on a request-derived length wraps past INT_MAX or SIZE_MAX, causing a downstream allocation to be sized smaller than the data subsequently copied into it. Because HTTP.sys executes in kernel context (System), successful memory corruption typically yields SYSTEM-level code execution and is historically wormable, as seen in prior HTTP.sys issues such as CVE-2021-31166 and CVE-2022-21907.
RemediationAI
Apply the Microsoft security update referenced in the MSRC advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291) for each affected Windows build as the primary fix; an exact fix version was not provided in the input data, so consult the advisory for the specific KB articles per SKU. Where patching cannot be completed immediately, restrict inbound TCP/80 and TCP/443 to HTTP.sys-backed services using host or network firewalls, terminate TLS and HTTP parsing on a non-Windows reverse proxy in front of IIS so malformed requests never reach the kernel driver, and disable optional HTTP.sys features such as HTTP/2 or response caching if the advisory identifies them as the trigger surface - note that proxy fronting can break NTLM/Kerberos pass-through and disabling HTTP/2 will reduce performance for modern clients. Audit and disable any unused HTTP Server API consumers (WinRM, WSDAPI, SSDP) on servers that do not require them.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35501
GHSA-392q-pc37-m552