CVE-2026-21250

HIGH

Windows HTTP.sys - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-21250. PoCs published by 3302509675, kaleth4.

AI-analyzed exploit summary This exploit targets a local privilege escalation vulnerability in Windows 11 24H2 and Windows Server 2022 23H2 by sending a maliciously crafted HTTP request to trigger a BSOD via HTTP.sys. The code includes a critical flaw in the `strcat` function that truncates the malicious pointer, which may prevent successful exploitation.

Description

Untrusted pointer dereference in Windows HTTP.sys allows an authorized attacker to elevate privileges locally.

Exploits (2)

exploitdb WORKING POC

by 3302509675 · clocalwindows

https://www.exploit-db.com/exploits/52546

View Code ZIP pw:eip

This exploit targets a local privilege escalation vulnerability in Windows 11 24H2 and Windows Server 2022 23H2 by sending a maliciously crafted HTTP request to trigger a BSOD via HTTP.sys. The code includes a critical flaw in the `strcat` function that truncates the malicious pointer, which may prevent successful exploitation.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Windows 11 24H2 (10.0.26100.7780), Windows 11 25H2 (10.0.26200.7780), Windows Server 2022 23H2 (10.0.25398.2148)

No auth needed

Prerequisites: HTTP service must be running · Port 80 must be listening · System must be unpatched

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 05, 2026 Full analysis →

nomisec WORKING POC

by kaleth4 · poc

https://github.com/kaleth4/CVE-2026-21250

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2026-21250, a local privilege escalation vulnerability in Windows HTTP.sys. The exploit sends a crafted HTTP request with a malicious pointer to trigger an untrusted pointer dereference, potentially leading to SYSTEM privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Theoretical

Target: Windows HTTP.sys (Windows 11 24H2/25H2, Windows Server 2022/2025)

No auth needed

Prerequisites: Local access to the target system · Vulnerable version of Windows HTTP.sys

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 05, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21250

Scores

CVSS v3 7.8

EPSS 0.0104

EPSS Percentile 59.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-822

Status published

Products (11)

Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.7840

Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.7840

Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.1575

Microsoft/Windows 11 Version 26H1 10.0.28000.0 - 10.0.28000.1575

Microsoft/Windows Server 2022, 23H2 Edition (Server Core installation) 10.0.25398.0 - 10.0.25398.2149

Microsoft/Windows Server 2025 10.0.26100.0 - 10.0.26100.32370

Microsoft/Windows Server 2025 (Server Core installation) 10.0.26100.0 - 10.0.26100.32370

microsoft/windows_11_24h2 < 10.0.26100.7781 (2 CPE variants)

microsoft/windows_11_25h2 < 10.0.26200.7781 (2 CPE variants)

microsoft/windows_server_2022_23h2 < 10.0.25398.2149

... and 1 more

Published Feb 10, 2026

Tracked Since Feb 18, 2026