CVE-2026-47291 – HTTP.sys Remote Code Execution Vulnerability

CVE-2026-47291 is a Critical remote code execution vulnerability in Windows HTTP.sys caused by an integer overflow or wraparound and heap-based buffer overflow. An unauthenticated attacker could send a specially crafted packet to a targeted server using the HTTP Protocol Stack. Successful exploitation could allow code execution over the network without user interaction.

CVSS Score: 9.8
SEVERITY: Critical
THREAT:
This vulnerability is highly dangerous because it is network-accessible, requires no privileges, and requires no user interaction. Systems using non-default or unsafe MaxRequestBytes configurations may be exposed.

EXPLOITS:
Publicly Disclosed: No.
Exploited: No.
Exploitability Assessment: Exploitation More Likely.
No public exploit, zero-day exploitation, or proof-of-concept code is confirmed in the provided data.

TECHNICAL SUMMARY:
CVE-2026-47291 affects Windows HTTP.sys and is caused by integer overflow or wraparound and heap-based buffer overflow conditions, identified as CWE-190 and CWE-122. A crafted packet sent to a server using HTTP.sys could trigger unsafe memory handling and allow remote code execution. The CVSS v3.1 metrics show network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and high impact to confidentiality, integrity, and availability.

EXPLOITABILITY:
Affected software includes Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, and 26H1; Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, including listed Server Core installations.
Exploitation can occur remotely by sending a specially crafted packet to a vulnerable server using HTTP.sys.

BUSINESS IMPACT:
This vulnerability creates severe business risk because HTTP.sys is used by Windows services that process HTTP traffic. A successful attack could lead to server takeover, malware deployment, data theft, service disruption, and lateral movement across the environment. Internet-facing systems are especially exposed.

WORKAROUND:
No workarounds are listed.
A mitigation is listed: ensure MaxRequestBytes is set to the default value of 16384, or use 65534 as the minimum safe value if larger requests are required. Systems using the default value of 16384 are not impacted by this vulnerability.

URGENCY:
This patch should be deployed urgently because the vulnerability is Critical, has a CVSS v3.1 score of 9.8, requires no authentication, requires no user interaction, and is assessed as exploitation more likely. This is the type of issue that can move quickly from exposure to compromise.