Deep Dive into CVE‑2026‑47291: Windows HTTP.sys RCE and Public PoC
Security researcher Omair released a PoC for CVE‑2026‑47291, a critical integer‑overflow flaw in Windows HTTP.sys that enables unauthenticated remote code execution with SYSTEM privileges across a fourteen‑year span of Windows client and server versions, prompting urgent patching and mitigation guidance.
Vulnerability Overview
CVE‑2026‑47291 is a critical remote code execution vulnerability (CVSS 9.8) in the Windows HTTP protocol stack (HTTP.sys). The flaw is an integer overflow (CWE‑190) that leads to a heap buffer overflow (CWE‑122) during request parsing, allowing kernel‑mode code execution without authentication.
Technical Analysis
Attack Surface
HTTP.sys is used by all services that rely on the Windows HTTP Server API, not only IIS. Affected services include IIS, WinRM, WSDAPI, print spooler, and any custom applications that use the API. The vulnerability impacts Windows client versions 10 (1607‑22H2) and 11 (23H2‑26H1) and server versions from 2012 through 2025.
Exploit Chain
The exploitation steps are:
Craft an HTTP request with malicious length fields (e.g., Content‑Length or Transfer‑Encoding: chunked).
The parser performs arithmetic on these fields; the result wraps around uint32, producing a tiny allocation size.
The kernel allocates a heap buffer far smaller than required.
HTTP.sys writes the full attacker payload into the undersized buffer, corrupting adjacent heap objects.
Control‑flow is hijacked by overwriting a kernel object, executing attacker‑controlled code in Ring 0 and gaining SYSTEM privileges.
Post‑Exploitation Capabilities
With SYSTEM rights an attacker can install persistent backdoors or rootkits, dump LSASS to obtain credential hashes, perform lateral movement using stolen tokens, bypass or disable EDR agents, and deploy ransomware. Because the fault occurs in kernel mode, no application‑level logs are generated, making detection difficult.
Wormability
Microsoft does not label the flaw as wormable. Researchers note that while the integer overflow itself does not automatically enable self‑propagation, a stable, crash‑free exploit could be weaponized for worm‑like behavior.
PoC Release
On 2026‑07‑11 security researcher Omair ([@w3bd3vil]) published a full PoC on GitHub (github.com/omair2084/misc). Although the PoC does not include a fully weaponized exploit, it demonstrates the full trigger chain, lowering the barrier for red‑team development.
The public PoC will likely lead to automated scanners (e.g., Shodan, ZoomEye) that enumerate exposed 80/443 hosts lacking the June 2026 patch.
Defense and Remediation
Emergency Patch
Microsoft released the fix in the June 2026 Patch Tuesday update (KB502569). Administrators should apply the update immediately, prioritizing internet‑facing servers and hosts with WinRM enabled.
Temporary Mitigations
Restrict inbound traffic on ports 80, 443, 5985, and 5986 to trusted source IPs.
Disable unnecessary HTTP services, especially WinRM, on servers that do not require them.
Deploy WAF/IPS signatures: Check Point CPAT‑2026‑6526 and Talos Snort rules.
Long‑Term Hardening
Enforce the principle of least privilege for service accounts.
Enable Windows Defender Application Control (WDAC) to block unsigned kernel code.
Rotate credentials regularly to mitigate LSASS dump attacks.
Monitor HTTP.sys‑related kernel events; BugCheck dumps can indicate exploitation.
Conclusion
The combination of unauthenticated access, kernel‑mode execution, and network reachability makes CVE‑2026‑47291 exceptionally dangerous across a broad Windows ecosystem. With the PoC now public, the vulnerability represents a high‑priority target for attackers and a critical remediation item for defenders.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
