Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-26219

CVE-2024-26219: Windows 10 1809 HTTP.sys DoS Vulnerability

CVE-2024-26219 is a denial of service vulnerability in Microsoft Windows 10 1809 HTTP.sys that allows attackers to disrupt system availability. This article covers the technical details, affected systems, and mitigation steps.

Published:

CVE-2024-26219 Overview

CVE-2024-26219 is a denial of service vulnerability in the Windows HTTP Protocol Stack (HTTP.sys), the kernel-mode driver that processes HTTP requests for IIS and other Windows services. Microsoft addressed the issue in the April 2024 Patch Tuesday release. The flaw is associated with a NULL pointer dereference [CWE-476], which an unauthenticated remote attacker can trigger by sending crafted HTTP traffic to an affected host. Successful exploitation causes the targeted service to become unresponsive, disrupting availability for any workload depending on HTTP.sys.

Critical Impact

An unauthenticated network attacker can crash or hang the HTTP Protocol Stack on Windows clients and servers, disrupting IIS, WinRM, and other services bound to HTTP.sys.

Affected Products

  • Microsoft Windows 10 (1809, 21H2, 22H2)
  • Microsoft Windows 11 (21H2, 22H2, 23H2)
  • Microsoft Windows Server 2019, Server 2022, and Server 2022 23H2

Discovery Timeline

  • 2024-04-09 - Microsoft releases security patch as part of April 2024 Patch Tuesday
  • 2024-04-09 - CVE-2024-26219 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-26219

Vulnerability Analysis

The vulnerability resides in HTTP.sys, the kernel-mode driver that parses HTTP request lines, headers, and body data before forwarding them to user-mode listeners such as IIS, WinRM, WSUS, and any application using the HTTP Server API. Because HTTP.sys runs in kernel space, a fault in request processing impacts the entire HTTP listener subsystem rather than a single user-mode worker process.

The CWE-476 (NULL Pointer Dereference) classification indicates that a specific request pattern reaches a code path where a pointer is dereferenced without prior validation. The resulting access violation halts request servicing on the targeted endpoint. The CVSS impact vector confirms the issue affects availability only — confidentiality and integrity are unaffected.

Root Cause

The defect stems from missing validation of an internal pointer or structure before it is referenced during HTTP request handling. When the protocol stack encounters the triggering input, the unchecked pointer is dereferenced and the driver faults. Microsoft has not published the specific function or request element that triggers the condition.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker reachable to TCP port 80, 443, or any other HTTP listener bound through HTTP.sys can deliver the malformed request directly. Internet-facing IIS servers and any Windows host exposing HTTP-based management endpoints such as WinRM are exposed. EPSS reporting places this CVE in the upper percentile for likelihood of exploitation activity within the next 30 days, reflecting attacker interest in HTTP stack flaws.

No public proof-of-concept code or exploitation in the wild has been confirmed, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Microsoft Security Update Guide for CVE-2024-26219 for vendor technical details.

Detection Methods for CVE-2024-26219

Indicators of Compromise

  • Unexpected HTTP.sys driver faults recorded in the System event log, often accompanied by bugcheck or WerFault entries referencing HTTP.sys.
  • IIS worker processes (w3wp.exe) becoming unresponsive or all sites returning connection resets despite the service appearing started.
  • Sudden gaps in HTTPERR logs under %SystemRoot%\System32\LogFiles\HTTPERR correlating with bursts of inbound HTTP traffic.

Detection Strategies

  • Monitor Windows Event IDs 1001 (Windows Error Reporting) and 41 (Kernel-Power) for crashes that reference the HTTP Protocol Stack.
  • Inspect network telemetry for repeated malformed HTTP requests, oversized headers, or anomalous verb and URI combinations directed at IIS hosts.
  • Correlate sudden drops in HTTP response volume on affected servers with inbound connection spikes from a small set of source IPs.

Monitoring Recommendations

  • Forward Windows System, Application, and HTTPERR logs to a central log platform for cross-host correlation of HTTP.sys failures.
  • Track availability of HTTP listeners through synthetic probes so service interruption is detected within seconds.
  • Apply rate-limiting and anomaly detection at upstream load balancers or WAFs to identify request floods targeting IIS endpoints.

How to Mitigate CVE-2024-26219

Immediate Actions Required

  • Apply the April 2024 Microsoft security updates to all affected Windows 10, Windows 11, and Windows Server systems running HTTP.sys.
  • Inventory hosts exposing HTTP listeners — including IIS, WinRM, WSUS, and custom HTTP Server API applications — and prioritize internet-facing systems first.
  • Restart affected hosts after patching to ensure the updated HTTP.sys driver is loaded into the kernel.

Patch Information

Microsoft published the fix on 9 April 2024 through the standard cumulative update channel. KB numbers vary per Windows version; consult the Microsoft Security Update Guide for CVE-2024-26219 for the build-specific update applicable to each affected SKU. Verify deployment using Get-HotFix or by checking the OS build number against the Microsoft advisory.

Workarounds

  • Restrict inbound HTTP and HTTPS access to trusted networks using host firewall rules or perimeter ACLs until patches are applied.
  • Place affected IIS servers behind a reverse proxy or WAF configured to drop malformed HTTP requests and enforce strict header validation.
  • Disable unused HTTP-based services such as WinRM listeners on hosts that do not require remote management.
bash
# Configuration example: verify the April 2024 cumulative update is installed
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

# Restrict inbound HTTP/HTTPS to a trusted management subnet
New-NetFirewallRule -DisplayName "Restrict HTTP to mgmt subnet" -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress 10.0.0.0/24 -Action Allow
New-NetFirewallRule -DisplayName "Block external HTTP" -Direction Inbound -Protocol TCP -LocalPort 80,443 -Action Block

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne