Zerodayinitiative
Critical RCE Vulnerability in Windows HTTP.sys Patched
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Microsoft patched CVE-2026-47291, a critical remote code execution vulnerability in the Windows HTTP.sys protocol stack. This flaw allows unauthenticated remote attackers to exploit an integer overflow during HTTP/1.x header parsing over TLS, potentially leading to kernel-level code execution or denial of service. The vulnerability affects systems using Microsoft Internet Information Services (IIS) and requires specially crafted HTTPS requests with excessive header lines. The issue is limited to HTTP/1.x over TLS, with mitigation suggested by keeping the MaxRequestBytes registry setting below 65,535 bytes. The vulnerability was first published on June 9, 2026, with a proof of concept emerging shortly after on June 11. Security teams are advised to apply the June 2026 patch immediately to protect their systems.
Key Points: • CVE-2026-47291 allows remote code execution via crafted HTTP requests. • The vulnerability is limited to HTTP/1.x over TLS, not affecting HTTP/2 or HTTP/3. • Microsoft recommends keeping MaxRequestBytes below 65,535 bytes as a mitigation.