CVE-2026-47291 Overview
CVE-2026-47291 is an integer overflow vulnerability in the Windows HTTP protocol stack (HTTP.sys). The flaw allows an unauthenticated remote attacker to execute code over the network by sending crafted HTTP requests. Because HTTP.sys runs in kernel mode, successful exploitation results in code execution with SYSTEM privileges. The vulnerability affects nearly all supported Windows client and server editions, including Windows Server 2025 and Windows 11 26H1. Microsoft published the advisory on June 9, 2026, and assigned a CVSS score of 9.8.
Critical Impact
Unauthenticated network-based remote code execution in the Windows HTTP kernel driver, affecting Windows 10, Windows 11, and Windows Server 2012 through 2025.
Affected Products
- Microsoft Windows 10 (1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (23H2, 24H2, 25H2, 26H1)
- Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025
Discovery Timeline
- 2026-06-09 - CVE-2026-47291 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-47291
Vulnerability Analysis
The vulnerability resides in HTTP.sys, the kernel-mode driver that parses incoming HTTP requests for IIS and any application using the Windows HTTP Server API. An integer overflow [CWE-190] in the request parser causes a length calculation to wrap, leading to an undersized buffer allocation. Subsequent copy operations then write past the allocation on the kernel pool, producing a heap-based buffer overflow [CWE-122]. The condition is reachable before authentication, so any service listening on HTTP or HTTPS exposes the host.
Root Cause
The defect stems from arithmetic on attacker-controlled length fields used during HTTP request processing. When the computed size wraps to a small value, HTTP.sys allocates a buffer smaller than the data it later copies. The mismatch corrupts adjacent kernel pool structures and creates a primitive suitable for code execution.
Attack Vector
Exploitation requires a single HTTP request sent to any endpoint backed by HTTP.sys. This includes IIS, WinRM on default ports 5985/5986, WSDAPI, Windows Remote Management, and third-party services that use the HTTP Server API. No user interaction or credentials are required. Verified public proof-of-concept code is not available at the time of writing, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploit code is published. See the Microsoft Security Update CVE-2026-47291 advisory for vendor technical details.
Detection Methods for CVE-2026-47291
Indicators of Compromise
- Unexpected HTTP.sys kernel pool corruption events or bugchecks (BugCheck 0x139, KERNEL_SECURITY_CHECK_FAILURE) following inbound HTTP traffic.
- HTTP requests containing oversized or malformed Content-Length, Transfer-Encoding, or chunked-encoding headers from untrusted sources.
- New child processes spawning from System (PID 4) or svchost.exe hosting http shortly after inbound HTTP requests.
Detection Strategies
- Inspect IIS and HTTP.sys error logs (%SystemRoot%\System32\LogFiles\HTTPERR) for anomalous parser errors such as Request_Header_Too_Long or BadRequest spikes from single sources.
- Deploy network signatures for malformed HTTP request smuggling patterns and oversized header chains targeting Windows hosts.
- Correlate kernel crash telemetry with preceding inbound HTTP sessions to identify exploitation attempts that failed.
Monitoring Recommendations
- Enable Windows Defender Firewall logging on TCP/80, TCP/443, TCP/5985, and TCP/5986 to capture source IPs of suspicious sessions.
- Forward IIS W3SVC logs and HTTP.sys ETW providers (Microsoft-Windows-HttpService) to a centralized SIEM for retrospective hunting.
- Alert on anomalous outbound connections or process creations originating from IIS worker processes (w3wp.exe) after the patch level is confirmed missing.
How to Mitigate CVE-2026-47291
Immediate Actions Required
- Apply the June 2026 Microsoft security updates to all affected Windows client and server systems as identified in the MSRC advisory.
- Inventory hosts exposing HTTP.sys-backed services (IIS, WinRM, WSDAPI, print services) to the internet and prioritize them for patching.
- Restrict inbound HTTP and HTTPS access to management interfaces via firewall rules and segmentation until patching completes.
Patch Information
Microsoft has released cumulative updates addressing CVE-2026-47291 across all supported Windows versions. Refer to the Microsoft Security Update CVE-2026-47291 advisory for the KB article matching each build. The fix corrects the length arithmetic in the HTTP.sys request parser to prevent the integer overflow.
Workarounds
- If patching must be delayed, place vulnerable hosts behind a reverse proxy or web application firewall that normalizes HTTP headers and rejects malformed length fields.
- Disable unused HTTP-listening services such as WinRM, WSDAPI, and the Print Spooler HTTP listener where business requirements allow.
- Apply network ACLs to restrict TCP/80, TCP/443, and WinRM ports (5985/5986) to trusted management subnets only.
# Example: restrict WinRM HTTP listener to a management subnet on Windows Server
New-NetFirewallRule -DisplayName "Block WinRM HTTP except mgmt" `
-Direction Inbound -Protocol TCP -LocalPort 5985 `
-RemoteAddress 10.0.0.0/24 -Action Allow
New-NetFirewallRule -DisplayName "Block WinRM HTTP all others" `
-Direction Inbound -Protocol TCP -LocalPort 5985 `
-Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
