Description
Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
Published: 2026-06-09
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Integer overflow or wraparound in Windows HTTP.sys permits an attacker without authentication to execute code over the network, resulting in full remote code execution on the affected system. The flaw is a classic integer and buffer overflow weakness (CWE-122, CWE-190), allowing the attacker to manipulate internal state and launch arbitrary instructions.

Affected Systems

The vulnerability affects Microsoft Windows 10 versions 1607, 1809, 21H2, 22H2, Windows 11 versions 23H2, 24H2, 25H2, 26H1, Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025 (including Server Core installations). Any machine running HTTP.sys service on these operating systems is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 9.8, the flaw is considered critical; the EPSS score is not available, and the vulnerability is not listed in CISA KEV. Exploitation requires only network access to the HTTP.sys endpoint and no authentication, making it an easily exploitable remote attack vector. An adversary can send a crafted HTTP request that triggers the integer wraparound, leading to arbitrary code execution on the target host.

Generated by OpenCVE AI on June 9, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for CVE-2026-47291 via the update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291
  • Ensure that all affected Windows 10/11 and Windows Server 2012‑2025 installations have installed the latest update, including any cumulative rollups
  • If immediate patching is not possible, mitigate exposure by restricting or blocking inbound network access to HTTP.sys on vulnerable systems, or by disabling the HTTP service entirely if it is not required

Generated by OpenCVE AI on June 9, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
Title HTTP.sys Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Weaknesses CWE-122
CWE-190
CPEs cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1607
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows 11 26h1
Microsoft windows Server 2012
Microsoft windows Server 2012 R2
Microsoft windows Server 2016
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 22h2 Windows 11 23h2 Windows 11 24h2 Windows 11 25h2 Windows 11 26h1 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T17:48:39.381Z

Reserved: 2026-05-18T23:53:33.896Z

Link: CVE-2026-47291

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:34.627

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:19Z

Weaknesses