Description
Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.
Published: 2026-01-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

Improper access control in Windows HTTP.sys enables an authorized attacker to elevate privileges over a network. The vulnerability stems from CWE‑284 and can lead to unauthorized escalation of privileges, potentially compromising data confidentiality, system integrity, and availability.

Affected Systems

Microsoft Windows 10 versions 1607, 1809, 21H2, and 22H2, Windows 11 versions 22H3 and 23H2, and a suite of Windows Server releases from 2008 R2 SP1 to 2022 and 23H2 editions are affected.

Risk and Exploitability

With a CVSS score of 7.5 and an EPSS score of less than 1%, the likelihood of exploitation is low, and it is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is a network-based exploitation requiring an authorized attacker with access to the target’s HTTP.sys service, typically via crafted HTTP requests within the local or trusted network.

Generated by OpenCVE AI on April 16, 2026 at 18:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Microsoft security update for CVE‑2026‑20929 on all affected Windows 10, Windows 11, and Windows Server systems.
  • If the patch cannot be applied immediately, restrict inbound HTTP traffic by configuring firewall rules to block or limit access to ports 80 and 443 from untrusted sources.
  • Review and enforce least privilege on accounts that have network access to services using HTTP.sys, ensuring only necessary permissions are granted.
  • Monitor network traffic and system logs for anomalous HTTP requests or privilege escalation attempts.

Generated by OpenCVE AI on April 16, 2026 at 18:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows Server 2008
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows Server 2008
Microsoft windows Server 2022 23h2

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network.
Title Windows HTTP.sys Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows Server 2008 R2
Microsoft windows Server 2008 Sp2
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 23h2
Weaknesses CWE-284
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows Server 2008 R2
Microsoft windows Server 2008 Sp2
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 23h2 Windows 11 23h2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2008 Sp2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2022 23h2 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:12.836Z

Reserved: 2025-12-04T20:04:16.336Z

Link: CVE-2026-20929

cve-icon Vulnrichment

Updated: 2026-01-13T20:05:26.579Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:19.827

Modified: 2026-01-16T15:05:21.283

Link: CVE-2026-20929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:15:43Z

Weaknesses