CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver
Vulnerability ID: CVE-2026-47291
CVSS Score: 9.8
Published: 2026-06-09
An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.
TL;DR
Unauthenticated remote code execution (RCE) in Windows HTTP.sys via integer overflow in header capacity allocation.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-190, CWE-122
- Attack Vector: Network (Unauthenticated)
- CVSS Score: 9.8 (Critical)
- EPSS Score: 0.21506 (21.51%)
- Impact: Remote Code Execution (Ring 0 / SYSTEM)
- Exploit Status: PoC Available / Actively Traded
- KEV Status: Not Listed
Affected Systems
- Windows 10
- Windows 11
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
-
Windows 10: < 10.0.14393.9234 (Fixed in:
10.0.14393.9234) -
Windows 11: < 10.0.22631.7219 (Fixed in:
10.0.22631.7219) -
Windows Server 2022: < 10.0.20348.5256 (Fixed in:
10.0.20348.5256) -
Windows Server 2025: < 10.0.26100.32995 (Fixed in:
10.0.26100.32995)
Exploit Details
- GitHub: Python Proof of Concept script demonstrating kernel memory crash.
- GitHub: Exploit details and verification instructions.
- SatoshiDisk: Commercial listing of weaponized exploit script
Mitigation Strategies
- Apply June 2026 cumulative Windows security update
- Deploy Web Application Firewall (WAF) or reverse proxy to restrict maximum header count and size
- Configure IIS registry limits for maximum request header lengths
Remediation Steps:
- Locate the appropriate KB update package matching your Windows Server or Windows client build version.
- Initiate installation of the cumulative update package on all targeted systems.
- Reboot host endpoints to ensure the updated HTTP.sys kernel driver is loaded successfully.
- In non-patchable environments, configure HKLM\System\CurrentControlSet\Services\HTTP\Parameters with restricted MaxFieldLength values.
References
- Microsoft Security Update Guide
- CVE Record Details
- dhmosfunk GitHub Repository
- ManagerEmpty GitHub Repository
Read the full report for CVE-2026-47291 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)