Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
The vulnerability falls into the CWE-122 (heap-based buffer overflow) and CWE-190 (integer overflow or wraparound) categories. An attacker sends specially crafted HTTP requests to the HTTP.sys component, triggering an integer overflow that leads to a heap buffer overflow. This allows overwriting process memory and executing arbitrary code in the context of the operating system kernel. The vulnerability is remotely exploitable without authentication and without user interaction.
An attacker can remotely execute arbitrary code at Windows kernel level (kernel-mode RCE), gaining full control over the compromised host, including access to sensitive data, ability to modify the system, and potential lateral movement within the network.
Apply patches available from the vendor according to references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291. Until the fix is deployed, consider restricting network access to services using HTTP.sys (e.g., IIS, WinRM) using a firewall.
Windows systems using the HTTP.sys driver — versions indicated in the vendor references (Microsoft Security Response Center).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMicrosoft Windows 10 1607
OSMicrosoft< 10.0.14393.9234Microsoft Windows 10 1809
OSMicrosoft< 10.0.17763.8880Microsoft Windows 10 21h2
OSMicrosoft< 10.0.19044.7417Microsoft Windows 10 22h2
OSMicrosoft< 10.0.19045.7417Microsoft Windows 11 23h2
OSMicrosoft< 10.0.22631.7219Microsoft Windows 11 24h2
OSMicrosoft< 10.0.26100.8655Microsoft Windows 11 25h2
OSMicrosoft< 10.0.26200.8655Microsoft Windows 11 26h1
OSMicrosoft< 10.0.28000.2269Microsoft Windows Server 2012
OSMicrosoftr2Microsoft Windows Server 2016
OSMicrosoft< 10.0.14393.9234Microsoft Windows Server 2019
OSMicrosoft< 10.0.17763.8880Microsoft Windows Server 2022
OSMicrosoft< 10.0.20348.5256Microsoft Windows Server 2025
OSMicrosoft< 10.0.26100.32995
Related vulnerabilities
RCE w Windows Server Update Service (WSUS) — deserializacja danych
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly ...
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly val...
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properl...
Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows S...