CVE-2026-20929 Overview
CVE-2026-20929 is an improper access control vulnerability in the Windows HTTP.sys kernel-mode driver. The flaw allows an authorized attacker with low privileges to elevate privileges over a network. Microsoft confirmed the issue affects a broad range of Windows client and server releases, including Windows 10, Windows 11 23H2, and Windows Server versions from 2008 through 2022 23H2. The weakness maps to [CWE-284: Improper Access Control].
Critical Impact
A remote authenticated attacker can abuse HTTP.sys access control gaps to gain elevated privileges, compromising confidentiality, integrity, and availability of the affected host.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2) and Windows 11 23H2
- Microsoft Windows Server 2008 SP2, 2008 R2 SP1, 2012, and 2012 R2
- Microsoft Windows Server 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2026-01-13 - CVE-2026-20929 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2026-20929
Vulnerability Analysis
The vulnerability resides in HTTP.sys, the kernel-mode HTTP protocol stack that services Internet Information Services (IIS), WinRM, WSUS, and any application using the HTTP Server API. Improper access control checks within request handling allow an authenticated attacker on the network to perform operations reserved for higher-privileged contexts. Successful exploitation results in privilege elevation on the target system, with high impact to confidentiality, integrity, and availability. The attack vector is network-based, but the attacker must already hold valid low-privileged credentials. The high attack complexity indicates that exploitation depends on race conditions, specific server configurations, or other preconditions outside attacker control.
Root Cause
The root cause is improper enforcement of access control boundaries in HTTP.sys when processing network requests. The driver fails to consistently validate the privilege context of the requester before permitting privileged operations, enabling crossing of trust boundaries within the HTTP protocol stack.
Attack Vector
Exploitation requires network reachability to a service that consumes HTTP.sys, such as IIS or WinRM, and valid low-privileged credentials. The attacker crafts HTTP requests that trigger the deficient access control path, causing kernel-mode code to perform actions in an elevated security context. No user interaction is required. Public exploit code is not available, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog.
No verified proof-of-concept code is publicly available. Refer to the Microsoft CVE-2026-20929 Update Guide for authoritative technical details.
Detection Methods for CVE-2026-20929
Indicators of Compromise
- Anomalous authenticated HTTP requests targeting IIS, WinRM (ports 5985/5986), or other HTTP.sys-backed services from internal hosts.
- Unexpected creation of privileged processes or services following inbound HTTP traffic to a web-facing endpoint.
- New local administrator accounts or scheduled tasks created shortly after authenticated HTTP sessions terminate.
Detection Strategies
- Correlate Windows Security event IDs 4624 (logon) and 4672 (special privileges assigned) with active HTTP sessions on the same host.
- Monitor HTTP.sys error logs in %SystemRoot%\System32\LogFiles\HTTPERR for abnormal request patterns or malformed verbs.
- Apply behavioral identification rules that flag privilege escalation chains initiated by w3wp.exe, WinRMprovhost.exe, or other HTTP.sys consumer processes.
Monitoring Recommendations
- Enable IIS logging with extended fields and forward logs to a centralized SIEM for correlation with endpoint telemetry.
- Audit Process Creation (event ID 4688) and Token Manipulation events on all servers exposing HTTP services.
- Track outbound lateral movement from web servers, including SMB and WMI traffic following inbound authenticated HTTP requests.
How to Mitigate CVE-2026-20929
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft CVE-2026-20929 Update Guide to all affected Windows client and server systems.
- Inventory hosts running IIS, WinRM, WSUS, and any custom services binding to HTTP.sys, and prioritize internet-facing systems for patching.
- Rotate credentials for any low-privileged accounts that authenticate to HTTP services after confirming patch deployment.
Patch Information
Microsoft has issued security updates for all supported affected versions through the standard Patch Tuesday distribution. Administrators should consult the Microsoft CVE-2026-20929 Update Guide for KB article numbers specific to each Windows build and apply updates through Windows Update, WSUS, or Microsoft Update Catalog.
Workarounds
- Restrict network access to HTTP.sys-backed services using host firewalls and network segmentation, allowing only required administrative subnets.
- Disable unused HTTP endpoints, including WinRM on systems that do not require remote management.
- Enforce least privilege on service accounts and audit membership of groups that can authenticate to IIS and WinRM endpoints.
# Restrict WinRM listener to trusted management subnet
Set-Item WSMan:\localhost\Service\IPv4Filter -Value "10.0.10.0/24"
# Block external access to HTTP.sys ports on non-web servers
New-NetFirewallRule -DisplayName "Block-WinRM-External" -Direction Inbound -Protocol TCP -LocalPort 5985,5986 -RemoteAddress Internet -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
