CVE-2026-47291 is a critical remote code execution vulnerability in the Windows HTTP Protocol Stack (HTTP.sys). The flaw is caused by an integer overflow or wraparound condition and is also associated with a heap-based buffer overflow condition during HTTP.sys request processing. A remote, unauthenticated attacker can trigger the vulnerability by sending a specially crafted network packet to a Windows system or server that uses HTTP.sys to process inbound HTTP traffic. The issue affects exposed systems where the relevant HTTP.sys request-size configuration is set away from the unaffected default, and Microsoft assessed exploitation as more likely.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Small PoC repository with two files: a README describing claimed HTTP.sys issues (CVE-2026-49160 and CVE-2026-47291) and one Python exploit/probe script, http2_bomb.py. The Python script is the main artifact. It uses Python's ssl/socket libraries plus the hyper-h2 library to establish a TLS connection, require ALPN negotiation of HTTP/2 ('h2'), initiate an HTTP/2 session, and send a single GET request containing the 4 required pseudo-headers plus a user-controlled number of additional regular headers (default 20, named x-fooooooo-XXXX). It then reads and prints HTTP/2 events such as response headers, data, stream end, stream reset, or connection termination. The exploit capability is therefore a network/web-layer malformed-or-stress request generator aimed at exercising vulnerable HTTP/2 header handling in HTTP.sys, potentially for denial-of-service testing or vulnerability triggering. There is no shellcode, command execution, persistence, or follow-on payload. The README also includes a separate illustrative Python snippet that slowly sends a very large number of HTTP/1.1 headers to hello.lab over TLS and claims this can increment an internal counter toward overflow for CVE-2026-47291, but that snippet is documentation only and not present as a runnable repository file. Overall, this is a proof-of-concept network exploit repository focused on triggering or probing HTTP.sys request-header parsing behavior over HTTPS/HTTP2 rather than achieving post-exploitation control.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
28 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical remote code execution vulnerability in Microsoft's HTTP.sys / Windows HTTP Protocol Stack caused by an integer overflow or wraparound error, allowing remote attackers to execute code by sending a specially crafted malicious packet to a target server.
A remote code execution vulnerability caused by an integer overflow in Windows HTTP.sys / HTTP Protocol Stack.
Критическая RCE-уязвимость в HTTP.sys, не требующая учетных данных или взаимодействия с пользователем.
HTTP.sys remote code execution vulnerability assessed as more likely to be exploited within 30 days and carrying a high CVSS score.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.