CVE-2026-47291: Critical Windows HTTP.sys Vulnerability Enables Remote Code Execution
Quick Answer
Microsoft has disclosed CVE-2026-47291, a Critical Remote Code Execution (RCE) vulnerability affecting the Windows HTTP.sys component. The vulnerability allows an unauthenticated attacker to execute arbitrary code remotely by sending specially crafted HTTP requests to vulnerable systems.
HTTP.sys is widely used by Microsoft IIS, WinRM, and numerous Windows-based web applications and services, increasing the potential exposure across enterprise environments. Microsoft released security updates as part of the June 2026 Patch Tuesday release and recommends immediate remediation of affected systems.
Vulnerability Details
- Advisory ID: SA-2026-HTTPSYS-47291
- Release Date: 12 July 2026
- Severity: Critical
- CVSS v3.1: 9.8/10 (Critical)
- Affected Component: Windows HTTP.sys
- Attack Vector: Network
- Impact: Remote Code Execution (RCE)
Who This Impacts:
- CISOs and Security Leadership Teams
- Security Operations Center (SOC) Teams
- Vulnerability Management Teams
- IT Infrastructure and Server Administrators
- Windows Server Administrators
- Organizations hosting Internet-facing web applications
- Healthcare, Financial Services, Manufacturing, Energy, and Government sectors
- Organizations utilizing Microsoft IIS or HTTP-based Windows services
Detailed Breakdown / What’s Happening
What is CVE-2026-47291?
CVE-2026-47291 is a Critical Remote Code Execution vulnerability affecting the Windows HTTP.sys kernel-mode driver. The flaw results from an integer overflow or wraparound condition that can lead to memory corruption and arbitrary code execution.
Because HTTP.sys is responsible for processing HTTP and HTTPS traffic within Windows, exploitation of this Windows HTTP.sys vulnerability could allow attackers to gain significant control over an affected system.
How could an attacker exploit it?
An attacker can send specially crafted HTTP requests to a vulnerable system.
-
No authentication is required.
-
No user interaction is required.
-
Exploitation occurs remotely over the network.
-
Successful exploitation may allow execution of arbitrary code on the target system.
This makes CVE-2026-47291 one of the most severe HTTP.sys remote code execution vulnerabilities disclosed in recent Microsoft security updates.
Why is this significant?
HTTP.sys is a core Windows component responsible for processing HTTP and HTTPS traffic.
The component is utilized by Microsoft IIS, WinRM, web APIs, and numerous enterprise applications.
Internet-facing servers are considered the highest risk targets.
Microsoft assigned vulnerability to a CVSS score of 9.8 (Critical).
Affected Systems:
The vulnerability affects multiple Windows operating systems, including:
- Windows 10
- Windows 11
- Windows Server 2012 / 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Systems remain vulnerable until the June 2026 security updates are applied.
Risk / Why It Matters:
Remote System Compromise
Successful exploitation may allow attackers to execute code on vulnerable Windows systems. This can provide extensive control over affected servers and infrastructure.
Business Disruption
Compromised web servers may experience outages, service interruptions, or unauthorized modifications that impact day-to-day business operations.
Ransomware Deployment
Threat actors may leverage compromised systems to deploy ransomware, encrypt business-critical data, and disrupt organizational operations.
Data Exposure
Attackers could potentially access sensitive business information, application data, credentials, and customer records stored on compromised systems.
Lateral Movement
A successful compromise may provide attackers with a pathway to move deeper into the environment and target additional systems.
Recommendations:
Immediate (0–30 Days)
- Identify all systems affected by CVE-2026-47291.
- Prioritize Internet-facing and business-critical servers.
- Deploy the June 2026 Microsoft security updates.
- Reboot systems were required to complete update installation.
- Verify successful patch deployment and vulnerability remediation.
- Restrict unnecessary external access to exposed HTTP/HTTPS services until remediation is complete.
Short-Term (1–3 Months)
- Review patch management processes to ensure timely deployment of critical security updates.
- Validate vulnerability scanning coverage across all Windows assets.
- Review Internet-facing application exposure and reduce unnecessary attack surface.
- Conduct targeted reviews of web server security configurations.
Mid / Long-Term (3–12 Months)
- Implement automated vulnerability management and patch compliance reporting.
- Strengthen network segmentation between Internet-facing and internal assets.
- Enhance asset inventory visibility for server infrastructure.
- Conduct regular security assessments and patch validation exercises.
- Review business continuity and incident response procedures for critical server compromise scenarios.
What We’re Watching Next
ProArch SOC teams will continue monitoring:
- Public disclosure of proof-of-concept exploit code.
- Reports of active exploitation targeting Internet-facing Windows servers.
- Threat actor activity leveraging HTTP.sys vulnerabilities.
- Updates from Microsoft regarding exploitability and threat intelligence associated with CVE-2026-47291.
Need help assessing your exposure?
ProArch can help you quickly identify affected Windows assets, prioritize Internet-facing systems, validate patch status, and reduce risk from CVE-2026-47291.
Reach out to ProArch's Microsoft security experts for a quick security assessment and remediation guidance.
Additional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2026-47291
- https://app.opencve.io/cve/CVE-2026-47291
- https://threat-modeling.com/microsoft-june-2026-patch-tuesday-critical-cves/
- https://defendis.com/learn/cve-2026-47291-httpsys-rce-windows-kernel-patch-tuesday-june-2026-d6cee
- https://www.zerodayinitiative.com/blog/2026/7/9/cve-2026-47291-remote-code-execution-in-the-windows-httpsys
