Microsoft patched CVE-2026-47291, a remotely exploitable flaw in Windows HTTP.sys that can cause denial of service or potentially kernel-level remote code execution on systems using the HTTP protocol stack behind IIS and other applications. The bug stems from an integer overflow while HTTP.sys expands a per-request buffer reference array during HTTP/1.x header parsing over TLS; the array's 16-bit capacity can wrap to zero, leading to a large kernel pool heap buffer overflow during memory movement operations.
Exploitation requires a remote, unauthenticated attacker to send a specially crafted HTTPS request with many header lines, placing each header in a separate TLS application data record so each becomes a distinct buffer reference. The issue is described as reachable only on the HTTP/1.x over TLS path, not the HTTP/2 or HTTP/3 parser paths, and it depends on the target accepting an unusually large request; keeping the MaxRequestBytes registry setting at or below 65,535 bytes is cited as a practical mitigation, while applying Microsoft's June 2026 patch is the recommended fix. Detection guidance includes inspecting decrypted HTTPS traffic for excessive HTTP/1.x header lines or, without decryption, looking for sustained connections carrying many small TLS application data records.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft fixed CVE-2026-47291, a remotely exploitable Windows HTTP.sys vulnerability, in its June 2026 release cycle. The patch is described as the recommended remediation for the issue.
Zero Day Initiative published a technical analysis of CVE-2026-47291, describing an integer overflow in Windows HTTP.sys during HTTP/1.x header parsing over TLS that can lead to kernel pool heap overflow, denial of service, or possible kernel-level remote code execution. The write-up explained exploitation conditions, including crafted header lines in separate TLS records and dependence on MaxRequestBytes configuration.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.