Critical

HTTP.sys Remote Code Execution Vulnerability

IdentifiersCVE-2026-47291CWE-190· Integer Overflow or Wraparound

CVE-2026-47291 is a critical remote code execution vulnerability in the Windows HTTP Protocol Stack (HTTP.sys). The flaw is described as an integer overflow or wraparound in HTTP.sys that can lead to a heap-based buffer overflow during processing of attacker-controlled network input. Microsoft states that an unauthenticated attacker can exploit the issue by sending a specially crafted packet to a targeted server using HTTP.sys. The vulnerability is remotely exploitable with no privileges and no user interaction, and carries CVSS v3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Systems using the default MaxRequestBytes registry value of 16384 bytes are reported as not affected; exposure is associated with non-default configurations that increase MaxRequestBytes beyond safe limits.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote code execution on a vulnerable Windows system exposing HTTP.sys. Given the CVSS vector and Microsoft’s assessment, compromise can result in high impact to confidentiality, integrity, and availability, including full system compromise of the targeted server. Multiple sources characterize the flaw as potentially wormable because exploitation is network-reachable, pre-authentication, and requires no user interaction.

Mitigation

If you can’t patch tonight, do this now.

Before patching, review the HTTP.sys registry configuration at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\MaxRequestBytes. Microsoft states systems using the default value of 16384 bytes are not impacted. For systems with non-default larger-request configurations, Microsoft advises setting MaxRequestBytes to a safe value; the provided content states the minimum safe value to avoid the vulnerability is 65534 bytes. After changing the setting, restart the HTTP service or reboot the system. Microsoft also provided manual instructions and a PowerShell script to apply this mitigation.

Remediation

Patch, then assume compromise.

Apply the June 2026 Microsoft security updates for affected Windows operating systems. Microsoft lists an official fix for the vulnerability. After patch deployment, restart affected systems as required by the update process.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindowsoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

security affairsNews

Jun 9, 2026

Microsoft Releases Record-Breaking Patch Tuesday With 208 CVEs

A critical remote code execution vulnerability in HTTP.sys that allows unauthenticated remote exploitation without user interaction on affected systems with non-default MaxRequestBytes settings.

malware newsNews

Jun 9, 2026

Microsoft Patch Tuesday for June 2026 - Snort rules and prominent vulnerabilities - Malware News - Malware Analysis, News and Indicators

A critical remote code execution vulnerability in Windows HTTP Protocol Stack (http.sys) caused by integer overflow or wraparound.

cvefeed high severityNews

Jun 9, 2026

CVE-2026-47291 - HTTP.sys Remote Code Execution Vulnerability

A remote code execution vulnerability in Windows HTTP.sys caused by an integer overflow or wraparound.

dark readingNews

Jun 9, 2026

Blame AI: Patch Tuesday Hits Record 206 CVEs

A critical remote code execution vulnerability in Windows HTTP.sys that allows unauthenticated remote compromise without user interaction and is described as potentially wormable.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-47291

NVD

nvd.nist.gov/vuln/detail/CVE-2026-47291

MITRE CWE · CWE-190

Integer Overflow or Wraparound

msrc.microsoft.com

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291