CVE-2026-33096: Windows 11 23h2 DOS Vulnerability

CVE-2026-33096 Overview

CVE-2026-33096 is an out-of-bounds read vulnerability in the Windows HTTP protocol stack (HTTP.sys). The flaw allows an unauthenticated remote attacker to trigger a denial-of-service condition by sending crafted HTTP requests over the network. HTTP.sys is a kernel-mode driver that handles HTTP traffic for IIS and other Windows services, making this vulnerability reachable on a wide range of server and client deployments. The issue is tracked under CWE-125: Out-of-bounds Read and affects multiple supported releases of Windows 11 and Windows Server.

Critical Impact

Remote, unauthenticated attackers can crash or stall affected Windows hosts running HTTP.sys, disrupting web services and any application relying on the kernel HTTP listener.

Affected Products

• Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1) on x64 and ARM64
• Microsoft Windows Server 2022 and Windows Server 2022 23H2
• Microsoft Windows Server 2025

Discovery Timeline

• 2026-04-14 - CVE-2026-33096 published to NVD
• 2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-33096

Vulnerability Analysis

The vulnerability resides in HTTP.sys, the kernel-mode driver that parses inbound HTTP requests before dispatching them to user-mode listeners such as IIS, WinRM, and WCF self-hosted services. An out-of-bounds read [CWE-125] occurs when the driver reads beyond the allocated bounds of a buffer while processing attacker-controlled HTTP input.

Because HTTP.sys runs in kernel context, an invalid read can trigger a bug check and stop the system, or terminate the HTTP request processing path and render the service unresponsive. The attack vector is fully network-based and requires no authentication or user interaction.

Exploitation does not yield code execution or information disclosure. The impact is constrained to availability, and successful exploitation results in service disruption rather than confidentiality or integrity loss.

Root Cause

The root cause is missing or insufficient bounds validation when HTTP.sys parses a specific element of incoming HTTP requests. Crafted input causes the driver to dereference memory outside the intended buffer, leading to an exception in kernel mode.

Attack Vector

An attacker sends a specially crafted HTTP request to any endpoint serviced by HTTP.sys on a vulnerable host. This includes IIS websites, WinRM listeners on TCP/5985 and TCP/5986, and any custom service registered with the kernel HTTP listener. Internet-exposed web servers and management interfaces are the highest-risk targets.

No verified public exploit code is available at this time, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified proof-of-concept code is available. Refer to the Microsoft CVE-2026-33096 Advisory for vendor-supplied technical details.

Detection Methods for CVE-2026-33096

Indicators of Compromise

• Unexpected bug checks referencing HTTP.sys or stop codes generated from the kernel HTTP stack
• Sudden termination or restart of the HTTP service (http.sys) and dependent services such as W3SVC and WinRM
• Spikes of malformed or oversized HTTP requests in IIS logs (%SystemDrive%\inetpub\logs\LogFiles) immediately preceding service failure

Detection Strategies

• Monitor Windows Event Log for System channel events from source HTTP and for bug check events (Event ID 1001) referencing the kernel HTTP driver
• Correlate IIS sc-status codes of 400 and 503 with concurrent service restarts to identify probing or exploitation attempts
• Inspect network telemetry for anomalous HTTP request patterns targeting HTTP.sys-backed endpoints, including malformed headers and unusual chunked encoding

Monitoring Recommendations

• Enable centralized collection of Windows System and Application logs from all IIS and WinRM hosts
• Alert on repeated HTTP.sys service crashes or kernel bug checks within short time windows across the fleet
• Track availability metrics for web-facing endpoints and flag deviations that coincide with inbound HTTP anomalies

How to Mitigate CVE-2026-33096

Immediate Actions Required

• Apply the Microsoft security update referenced in the Microsoft CVE-2026-33096 Advisory to all affected Windows 11 and Windows Server hosts
• Inventory all systems running IIS, WinRM, or other HTTP.sys-based listeners and prioritize internet-exposed servers for patching
• Restrict inbound access to management endpoints such as WinRM to trusted administrative networks

Patch Information

Microsoft has issued security updates for Windows 11 23H2, 24H2, 25H2, 26H1, Windows Server 2022, Windows Server 2022 23H2, and Windows Server 2025. Consult the Microsoft CVE-2026-33096 Advisory for the specific KB articles and build numbers applicable to each release.

Workarounds

• Place affected web servers behind a web application firewall or reverse proxy that validates and normalizes HTTP requests before they reach HTTP.sys
• Limit exposure of non-essential HTTP.sys-backed services by binding them to internal interfaces or disabling unused listeners
• Enable rate limiting and request filtering in IIS to reduce the impact of repeated malformed request attempts

# Verify installed update on Windows hosts
wmic qfe list brief /format:table

# Restrict WinRM listener to a trusted management subnet
winrm set winrm/config/service @{IPv4Filter="10.0.0.0/24"}

# Enable IIS Request Filtering limits (example)
appcmd set config /section:requestFiltering /requestLimits.maxAllowedContentLength:30000000
appcmd set config /section:requestFiltering /requestLimits.maxUrl:4096
appcmd set config /section:requestFiltering /requestLimits.maxQueryString:2048