Skip to content
Auto-CTI
Back to all deep dives
ZERO DAY INITIATIVE - BLOG

CVE-2026-47291: Remote Code Execution in the Windows HTTP.sys

CRITICAL HTTP.sys IIS kernel-mode unauthenticated
CVE-2026-47291: Remote Code Execution in the Windows HTTP.sys

Strategic summary

A vulnerability was discovered in Windows HTTP.sys, the kernel-mode HTTP driver, due to insufficient bounds checking when parsing HTTP/1.x headers. An integer overflow can allow a remote, unauthenticated attacker to send specially crafted HTTP packets to execute arbitrary code with kernel privileges or cause a denial of service. The flaw occurs in the function that expands the buffer reference array when processing new receive buffers. This vulnerability specifically affects Internet Information Services and other applications that register URL prefixes.

Key findings

  • The vulnerability CVE-2026-47291 allows remote code execution with kernel privileges through an integer overflow in HTTP.sys.
  • Affected is the HTTP/1.x header processing where a buffer reference array is improperly expanded.
  • An attacker can exploit the vulnerability without authentication via specially crafted HTTP packets.
  • Successful exploitation leads to denial of service or full system compromise.
  • The vulnerability resides in the kernel-mode driver HTTP.sys, which is fundamental for IIS.

Relevance for you

HTTP.sys kernel-mode RCE allows unauthenticated remote attackers to achieve code execution with kernel privileges via specially crafted HTTP/1.x requests over TLS.

Mentioned CVEs

Risk score

Models disagree 98
cvss base
98.00
kev bonus
0.00
epss bonus
0.00
poc bonus
15.00
raw before weight
113.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00
vote penalty
-2.00

Path: operational

Consensus check

Models disagree: Models disagree on severity

Vote penalty:
−2.0
Total penalty:
−2.0

MITRE ATT&CK mapping

3 TTPs
Recon
Resource Dev
Execution
Persistence
Def. Evasion
Cred. Access
Discovery
Lateral Mov.
Collection
C2
Exfiltration
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1190
Exploit Public-Facing Application
Initial Access A remote unauthenticated attacker exploits CVE-2026-47291 by sending specially crafted HTTP/1.x requests over TLS connections to Windows HTTP.sys (IIS), triggering an integer overflow during HTTP header parsing to achieve kernel-level code execution or denial-of-service. high llm
T1499.004
Application or System Exploitation
Impact Successful exploitation of the HTTP.sys integer overflow vulnerability can result in unexpected system termination due to a memory access exception in kernel context, causing a denial-of-service condition on the targeted Windows system. high llm
T1068
Exploitation for Privilege Escalation
Privilege Escalation Under specific memory layout conditions, exploitation of CVE-2026-47291 in the kernel-mode HTTP.sys driver can result in arbitrary code execution in the context of the kernel, providing the attacker with the highest privilege level on the system. high llm
ESC