Integer Overflow Vulnerability in Windows HTTP.sys by Microsoft
CVE-2026-47291

9.8CRITICAL

Key Information:

Badges

πŸ”₯ Trending nowπŸ“ˆ TrendedπŸ“ˆ Score: 2,800πŸ‘Ύ Exploit Exists🟣 EPSS 21%πŸ“° News Worthy

What is CVE-2026-47291?

CVE-2026-47291 is a critical integer overflow vulnerability located in the Windows HTTP.sys component, a part of Microsoft’s operating system stack that handles HTTP requests and responses. This vulnerability occurs when the application incorrectly handles integer values, leading to conditions that may allow an unauthorized attacker to execute arbitrary code remotely over a network. The severity of this flaw arises from its potential to compromise systems that rely on the HTTP.sys driver for network communication, opening avenues for attackers to bypass security and gain control over sensitive environments.

The implications of this vulnerability extend to numerous organizations employing Microsoft Windows servers, especially those relying on web services and applications that utilize the HTTP.sys component. If successfully exploited, this vulnerability could lead to unauthorized access, data manipulation, or even complete system compromise, significantly threatening the integrity and confidentiality of organizational data.

Potential impact of CVE-2026-47291

  1. Remote Code Execution: The vulnerability enables unauthorized attackers to execute arbitrary code on affected systems, allowing for potentially full control over the compromised environment. This can facilitate a wide range of malicious activities, including data theft and the deployment of further exploitation tools.

  2. Service Disruption: Exploiting this flaw could lead to service outages or disruptions in web-based applications and services, which can adversely affect business operations, customer trust, and overall service delivery.

  3. Increased Malware Propagation: Given the nature of the vulnerability, it may allow for the installation of malware, including ransomware, on affected systems. This can lead to cascading security incidents that threaten data integrity and operational continuity, as well as increased recovery costs and reputational damage.

Affected Version(s)

Windows 10 Version 1607 32-bit Systems 10.0.14393.0 < 10.0.14393.9234

Windows 10 Version 1809 32-bit Systems 10.0.17763.0 < 10.0.17763.8880

Windows 10 Version 21H2 32-bit Systems 10.0.19044.0 < 10.0.19044.7417

News Articles

Blame AI: Patch Tuesday Hits Record 206 CVEs

Voluminous patch updates could soon be the norm, as artificial intelligence accelerates the speed and scale of vulnerability discovery.

References

EPSS Score

21% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by Dark Reading

  • Vulnerability published

  • Vulnerability Reserved

.