CVE-2026-47291: Remote Code Execution in the Windows HTTP.sys
Strategic summary
A vulnerability was discovered in Windows HTTP.sys, the kernel-mode HTTP driver, due to insufficient bounds checking when parsing HTTP/1.x headers. An integer overflow can allow a remote, unauthenticated attacker to send specially crafted HTTP packets to execute arbitrary code with kernel privileges or cause a denial of service. The flaw occurs in the function that expands the buffer reference array when processing new receive buffers. This vulnerability specifically affects Internet Information Services and other applications that register URL prefixes.
Key findings
- The vulnerability CVE-2026-47291 allows remote code execution with kernel privileges through an integer overflow in HTTP.sys.
- Affected is the HTTP/1.x header processing where a buffer reference array is improperly expanded.
- An attacker can exploit the vulnerability without authentication via specially crafted HTTP packets.
- Successful exploitation leads to denial of service or full system compromise.
- The vulnerability resides in the kernel-mode driver HTTP.sys, which is fundamental for IIS.
Relevance for you
HTTP.sys kernel-mode RCE allows unauthenticated remote attackers to achieve code execution with kernel privileges via specially crafted HTTP/1.x requests over TLS.
Mentioned CVEs
Risk score
- cvss base
- 98.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 113.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
- vote penalty
- -2.00
Path: operational
Consensus check
Models disagree: Models disagree on severity
- Vote penalty:
- −2.0
- Total penalty:
- −2.0
MITRE ATT&CK mapping
3 TTPsProcedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1190 Exploit Public-Facing Application | Initial Access | A remote unauthenticated attacker exploits CVE-2026-47291 by sending specially crafted HTTP/1.x requests over TLS connections to Windows HTTP.sys (IIS), triggering an integer overflow during HTTP header parsing to achieve kernel-level code execution or denial-of-service. | high | llm |
| T1499.004 Application or System Exploitation | Impact | Successful exploitation of the HTTP.sys integer overflow vulnerability can result in unexpected system termination due to a memory access exception in kernel context, causing a denial-of-service condition on the targeted Windows system. | high | llm |
| T1068 Exploitation for Privilege Escalation | Privilege Escalation | Under specific memory layout conditions, exploitation of CVE-2026-47291 in the kernel-mode HTTP.sys driver can result in arbitrary code execution in the context of the kernel, providing the attacker with the highest privilege level on the system. | high | llm |