+91 80401 38000[email protected]24/7 Expert Support
[email protected]Client Portal →
ServerGurus
← All posts
SecurityManaged ServicesCloud VPS

CVE-2026-47291: Any Unpatched Windows Server Can Be Taken Over Remotely via HTTP.sys

By ServerGurus11 July 20263 min read
CVE-2026-47291: Any Unpatched Windows Server Can Be Taken Over Remotely via HTTP.sys

Microsoft patched CVE-2026-47291 on June 9, and security researchers at Trend Micro's Zero Day Initiative just published the full technical breakdown. The vulnerability is as bad as it gets: a remote, unauthenticated attacker sends crafted HTTP headers to a Windows server, triggers an integer overflow in the kernel-mode HTTP.sys driver, and executes arbitrary code with SYSTEM privileges.

CVSS score: 9.8. Proof of concept: public. Attack surface: every Windows server running IIS, WinRM, or anything that uses the HTTP Server API.

What HTTP.sys Does and Why This Bug Is So Dangerous

HTTP.sys is the kernel-mode driver that handles HTTP parsing for Windows. It sits below IIS, below WinRM, below any application that registers a URL prefix with the HTTP Server API. It processes HTTP requests in kernel space, which is fast but means any vulnerability in it is catastrophic.

The bug is in how HTTP.sys grows its internal buffer reference array during HTTP/1.x header parsing. When it needs more slots to track received data, it does an integer computation to calculate the new array size. That computation can overflow, producing a smaller allocation than expected. Data written past the end of the undersized buffer corrupts the non-paged kernel pool.

The attacker needs only to send a sequence of TLS records with carefully sized payloads. The integer overflow triggers during the capacity growth calculation. From there, a heap-based buffer overflow gives the attacker kernel-level code execution. No authentication. No user interaction. Just packets hitting port 443.

If the exploit fails, the server blue-screens. A denial of service is the floor; SYSTEM-level remote code execution is the ceiling.

What Is Affected

Every supported version of Windows Server running HTTP.sys. That includes:

  • Windows Server 2025 with IIS
  • Windows Server 2022 with IIS, WinRM, or WS-Management
  • Windows Server 2019 hosting ASP.NET applications
  • Any Windows system where HTTP.sys listens on a network port

If port 80 or 443 is open and HTTP.sys is behind it, you are vulnerable unless patched.

The Patch and What You Should Do

Microsoft shipped the fix on June 9 Patch Tuesday. The update corrects the integer overflow in the capacity calculation. After patching, the driver properly validates the size computation before allocating memory.

If you manage your own Windows servers:

  1. Install KB5063236 (Windows Server 2025), KB5063275 (2022), or the equivalent for your version
  2. Reboot. HTTP.sys runs in kernel space. Hot-patching is not an option here.
  3. Verify: check winver or systeminfo to confirm the patch applied.

If you are not sure whether you patched, assume you did not. This vulnerability has a public proof of concept and a CVSS of 9.8. Attackers are working through it right now.

The Deeper Problem: Patching Windows Is a Job Nobody Wants

Here is what actually happens in most organizations when a critical Windows patch drops. Someone gets a ticket. They schedule a maintenance window. They test the patch on staging. They find out the patch breaks some legacy IIS module. They spend three days debugging it. The production server sits unpatched the whole time.

This is why managed hosting exists. When you run your Windows workloads on ServerGurus managed infrastructure, kernel patches like this get applied within hours of the Microsoft advisory. No ticket. No maintenance window negotiation. No testing cycle that stretches into the next week.

We handle patching, monitoring, and the 3 AM reboot. You handle your application. That is the deal.

The Bigger Picture for Hosting Customers

CVE-2026-47291 is a Windows bug, but the lesson is universal. Every operating system has kernel-level remote code execution vulnerabilities. Linux had GhostLock last week. Windows has HTTP.sys this week. What separates a secure infrastructure from a compromised one is not the absence of vulnerabilities. It is how fast patches get applied.

Self-managed servers patch when someone gets around to it. Managed servers patch when the advisory drops. The gap between those two timestamps is where the damage happens.

If you are running unpatched Windows Server today, stop reading and run Windows Update. If you want someone else to handle this from now on, talk to us about managed hosting.

Ready to build your infrastructure?

Get a quote from our Hyderabad-based team - Tier IV datacenter, real support, INR or USD billing.

View pricingRequest a quoteWhatsApp sales