Zero Day Initiative | Blog
Follow
CVE-2026-47291: Remote Code Execution in the Windows HTTP.sys
A remote code execution vulnerability exists in the HTTP Protocol Stack for Microsoft Internet Information Services implemented in HTTP.sys, which can be exploited by sending crafted HTTP packets to the target system. The vulnerability is due to invalid validation of incoming HTTP requests, and successful exploitation can result in a denial-of-service condition or code execution with kernel privileges. HTTP.sys is the kernel-mode HTTP protocol driver in Microsoft Windows, and it provides HTTP request parsing, response caching, and SSL/TLS termination for Internet Information Services and other applications. The vulnerability is caused by an integer overflow in the buffer reference array during HTTP/1.x header parsing, which can lead to a kernel pool heap buffer overflow. To trigger the overflow, an attacker must craft an HTTP request with each header line encapsulated in a separate TLS application data record, requiring a minimum of 65,536 buffer references. The total request size would be approximately 262,144 bytes, which exceeds the default MaxRequestBytes registry value of 16,384 bytes. A remote unauthenticated attacker could exploit this vulnerability by sending a specially crafted HTTP/1.x request over a TLS connection to an affected server, resulting in unexpected system termination or arbitrary code execution in the context of the kernel. Detection of this vulnerability can be achieved by monitoring and parsing traffic on TCP port 443, either by decrypting the TLS traffic and counting the number of distinct header field lines or by inspecting the pattern of TLS application data records within the encrypted session. The vulnerability was patched by Microsoft in the June 2026 release cycle, and the best method to ensure remediation is to test and deploy the vendor-supplied patch. To prevent exploitation, keeping the MaxRequestBytes registry value at or below 65,535 bytes represents a conservative configuration, and users are advised to follow the latest security patches and exploit techniques from the TrendAI Research team.