Microsoft has disclosed CVE-2026-47291, a Critical Remote Code Execution (RCE) vulnerability affecting the Windows HTTP.sys component. The vulnerability allows an unauthenticated attacker to execute arbitrary code remotely by sending specially crafted HTTP requests to vulnerable systems.
HTTP.sys is widely used by Microsoft IIS, WinRM, and numerous Windows-based web applications and services, increasing the potential exposure across enterprise environments. Microsoft released security updates as part of the June 2026 Patch Tuesday release and recommends immediate remediation of affected systems.
What is CVE-2026-47291?
CVE-2026-47291 is a Critical Remote Code Execution vulnerability affecting the Windows HTTP.sys kernel-mode driver. The flaw results from an integer overflow or wraparound condition that can lead to memory corruption and arbitrary code execution.
Because HTTP.sys is responsible for processing HTTP and HTTPS traffic within Windows, exploitation of this Windows HTTP.sys vulnerability could allow attackers to gain significant control over an affected system.
An attacker can send specially crafted HTTP requests to a vulnerable system.
No authentication is required.
No user interaction is required.
Exploitation occurs remotely over the network.
Successful exploitation may allow execution of arbitrary code on the target system.
This makes CVE-2026-47291 one of the most severe HTTP.sys remote code execution vulnerabilities disclosed in recent Microsoft security updates.
HTTP.sys is a core Windows component responsible for processing HTTP and HTTPS traffic.
The component is utilized by Microsoft IIS, WinRM, web APIs, and numerous enterprise applications.
Internet-facing servers are considered the highest risk targets.
Microsoft assigned vulnerability to a CVSS score of 9.8 (Critical).
The vulnerability affects multiple Windows operating systems, including:
Systems remain vulnerable until the June 2026 security updates are applied.
Remote System Compromise
Successful exploitation may allow attackers to execute code on vulnerable Windows systems. This can provide extensive control over affected servers and infrastructure.
Business Disruption
Compromised web servers may experience outages, service interruptions, or unauthorized modifications that impact day-to-day business operations.
Ransomware Deployment
Threat actors may leverage compromised systems to deploy ransomware, encrypt business-critical data, and disrupt organizational operations.
Data Exposure
Attackers could potentially access sensitive business information, application data, credentials, and customer records stored on compromised systems.
Lateral Movement
A successful compromise may provide attackers with a pathway to move deeper into the environment and target additional systems.
Immediate (0–30 Days)
Short-Term (1–3 Months)
Mid / Long-Term (3–12 Months)
ProArch SOC teams will continue monitoring:
Need help assessing your exposure?
ProArch can help you quickly identify affected Windows assets, prioritize Internet-facing systems, validate patch status, and reduce risk from CVE-2026-47291.
Reach out to ProArch's Microsoft security experts for a quick security assessment and remediation guidance.