Critical RCE Vulnerability in Windows HTTP.sys Patched

Critical RCE Vulnerability in Windows HTTP.sys Patched

First seen 10 Jul 2026, 22:41 UTC ThezdiZerodayinitiativeMallory.Aigo.trendmicro.comwww.rfc-editor.org+3 94% similarity 72.8

Article Content

Browse articles
ThreatCluster

Microsoft patched CVE-2026-47291, a critical remote code execution vulnerability in the Windows HTTP.sys protocol stack. This flaw allows unauthenticated remote attackers to exploit an integer overflow during HTTP/1.x header parsing over TLS, potentially leading to kernel-level code execution or denial of service. The vulnerability affects systems using Microsoft Internet Information Services (IIS) and requires specially crafted HTTPS requests with excessive header lines. The issue is limited to HTTP/1.x over TLS, with mitigation suggested by keeping the MaxRequestBytes registry setting below 65,535 bytes. The vulnerability was first published on June 9, 2026, with a proof of concept emerging shortly after on June 11. Security teams are advised to apply the June 2026 patch immediately to protect their systems.

Key Points: • CVE-2026-47291 allows remote code execution via crafted HTTP requests. • The vulnerability is limited to HTTP/1.x over TLS, not affecting HTTP/2 or HTTP/3. • Microsoft recommends keeping MaxRequestBytes below 65,535 bytes as a mitigation.

ThreatCluster AI

Timeline

2026-06-09
CVE-2026-47291 published
Microsoft disclosed a remote code execution vulnerability in HTTP.sys affecting IIS and other applications.
Zerodayinitiative
2026-06-11
First public PoC released
A proof of concept demonstrating the exploitation of CVE-2026-47291 was made public.
Zerodayinitiative
2026-06-2026
Patch released
Microsoft released a patch for CVE-2026-47291 in its June 2026 update cycle.
Mallory.Ai
2026-07-10
Vulnerability analysis published
TrendAI Research detailed the integer overflow vulnerability and its exploitation conditions.
Zerodayinitiative

Community

Browse all →