CVE-2026-47291 — Windows HTTP.sys pre-auth RCE (CVSS 9.8): ZDI publishes full exploitation mechanics and a detection signature
UPDATE · originally covered CVE-2026-47291 — Microsoft June Patch Tuesday: HTTP.sys pre-auth RCE (CVSS 9.8) headlines the largest-ever release (198 CVEs) (2026-06-10)
CVE-2026-47291 shipped in the June 2026 Patch Tuesday as a headline pre-auth RCE in HTTP.sys, the kernel-mode HTTP driver that terminates HTTP/1.x and TLS for IIS and every service built on the HTTP Server API. The delta is a full exploitation write-up from Zero Day Initiative's TrendAI Research team, published a month after the patch, that documents the precise defect and trigger and materially lowers the weaponisation bar (Zero Day Initiative, 2026-07-10).
The bug is a 16-bit integer overflow in the buffer-reference array that HTTP.sys grows while parsing HTTP/1.x headers: the capacity counter is incremented by five on each growth without a bounds check, and after 13,107 growths it reaches 0xFFFB, so the next increment wraps to 0x0000; the subsequent reference addition then allocates a 40-byte buffer but memmoves roughly 524,256 bytes into it — a ~500 KB kernel-pool heap overflow. Because SChannel delivers each TLS record to the parser as its own buffer, an attacker who places exactly one header line per TLS application-data record establishes a 1:1 record-to-reference correspondence and drives the counter to overflow with a single ~262 KB request. Successful exploitation crashes the box (kernel memory-access exception) and, under favourable pool layout, can execute code in kernel context. Critically, the path is reachable only via HTTP/1.x-over-TLS — HTTP/2 and HTTP/3 use a different parser and are unaffected (Zero Day Initiative, 2026-07-10).
The write-up also corrects the exposure picture the original advisory left fuzzy: the default MaxRequestBytes of 16,384 bytes caps a request at roughly 4,000 header lines — far short of the ~65,536 references needed — so only hosts that raised MaxRequestBytes to at least 262,144 bytes can be driven to the overflow. Microsoft rates the CVE "Exploitation More Likely"; no in-the-wild exploitation is reported as of ZDI's publication (Microsoft MSRC, 2026-06-09).
The vulnerability is only reachable through HTTP/1.x header parsing over TLS connections. HTTP/2 and HTTP/3 use different parser paths that do not interact with the buffer reference array.
If the number of header field lines in a single request exceeds 1,000, the traffic should be considered suspicious; an attack exploiting this vulnerability is likely underway.
Defender actions
- Confirm the June 2026 Windows cumulative update is applied on every internet-facing IIS/HTTPS host and any service built on the HTTP Server API; ZDI notes the patch is the only reliable remediation.
- As an interim measure on unpatched hosts, keep the HTTP.sys
MaxRequestBytesregistry value (HKLM\\SYSTEM\\CurrentControlSet\\Services\\HTTP\\Parameters) at or below 65,535 bytes — a request must be able to carry ~262,144 bytes to trigger the overflow, so this configuration blocks it. - Where TLS inspection exists, alert on any single HTTP/1.x request carrying more than ~1,000 header field lines; without decryption, flag HTTPS connections that send more than ~1,000 tiny TLS application-data records over roughly 11 minutes.
ATT&CK mapping
2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Impact TA0040
T1499Endpoint Denial of Service
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.
Update chain
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.