CVE-2026-47291

CRITICAL

Microsoft Windows HTTP.sys - Remote Code Execution via Integer Overflow

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-47291. PoCs published by dhmosfunk, ManagerEmpty.

AI-analyzed exploit summary The repository contains a functional Python script that exploits CVE-2026-47291, a denial-of-service vulnerability in HTTP.sys. The script sends a large number of HTTP/2 headers to trigger an integer overflow in the HTTP.sys driver, leading to a system crash or instability.

Description

Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.

Exploits (2)

github WORKING POC

by dhmosfunk · pythonpoc

https://github.com/dhmosfunk/CVE-2026-49160-CVE-2026-47291-HTTP.sys

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2026-47291, a denial-of-service vulnerability in HTTP.sys. The script sends a large number of HTTP/2 headers to trigger an integer overflow in the HTTP.sys driver, leading to a system crash or instability.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Microsoft HTTP.sys (Windows HTTP Protocol Stack)

No auth needed

Prerequisites: HTTP/2 enabled server · Network access to the target

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Jun 16, 2026 Full analysis →

github SUSPICIOUS

by ManagerEmpty · poc

https://github.com/ManagerEmpty/CVE-2026-47291-httpsys

View Code ZIP pw:eip

The repository claims to provide an RCE exploit for CVE-2026-47291 targeting Windows HTTP.sys but lacks actual exploit code, instead redirecting to an external download link via a URL shortener. The README contains technical details but no functional code, which is a common tactic for malicious or monetized exploit lures.

Classification

Suspicious 95%

Attack Type

Rce

Complexity

Theoretical

Reliability

Theoretical

Target: Windows HTTP.sys (Windows 10/11, Server 2012-2025)

No auth needed

Prerequisites: Windows system with vulnerable HTTP.sys version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 11, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

HTTP.sys Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291

Scores

CVSS v3 9.8

EPSS 0.0430

EPSS Percentile 89.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-122 CWE-190

Status published

Products (33)

Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.9234

Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.8880

Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.7417

Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.7417

Microsoft/Windows 11 version 23H2 10.0.22631.0 - 10.0.22631.7219

Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.8655

Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.8655

Microsoft/Windows 11 version 26H1 10.0.28000.0 - 10.0.28000.2269

Microsoft/Windows Server 2012 6.2.9200.0 - 6.2.9200.26132

Microsoft/Windows Server 2012 (Server Core installation) 6.2.9200.0 - 6.2.9200.26132

... and 23 more

Published Jun 09, 2026

Tracked Since Jun 09, 2026