CVE-2026-47291: HTTP.sys Remote Code Execution Vulnerability
Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 6.2.9200.26132
- Affected Products
- 20
HarborGuard Analysis
Synopsis
An integer overflow vulnerability in Windows HTTP.sys allows an unauthenticated remote attacker to execute arbitrary code on affected Windows systems. The flaw is reachable over the network with no credentials and no user interaction required, making it exploitable against any internet-exposed or network-accessible Windows host running an affected version of HTTP.sys. Successful exploitation gives the attacker full code execution in the context of the kernel-mode HTTP.sys driver, enabling complete host compromise. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running affected Windows base images.
HarborGuard Coverage
Detection for CVE-2026-47291 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, covering both public base images and custom-built images that include affected Windows versions. Any image whose Windows layer falls within an affected version range is flagged automatically in both registry scans and CI/CD pipeline checks.
AvailableHarborGuard is capable of scoring this CVE at its CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each customer organization's compliance policy to determine escalation priority. Triage findings are routable to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableA patched-image rebuild targeting the applicable fix versions (6.2.9200.26132, 6.3.9600.23228, 10.0.14393.9234, 10.0.17763.8880, 10.0.19044.7417, and later) becomes available on HarborGuard once the upstream patched base layers are published. For customers with auto-remediation enabled, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the target over the network, as HTTP.sys is a network-facing kernel driver that listens for inbound HTTP traffic.
- AuthenticationNot required
No credentials of any kind are needed; the vulnerable code path is reachable by any unauthenticated HTTP request.
- Victim interactionNot required
Exploitation is fully automated from the attacker's side and requires no action from any user on the target system.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or memory-layout knowledge.
Blast Radius
- The attacker executes arbitrary code in the context of the kernel-mode HTTP.sys driver, giving immediate ring-0 level access on the host.
- All data accessible to the operating system, including credentials, secrets, and application data stored on disk or in memory, is readable by the attacker.
- The attacker can modify or delete any files, registry keys, or in-memory data structures on the compromised host.
- The attacker can crash the HTTP.sys driver or the entire host, taking all services on that system offline.
How HarborGuard Handles This
Available on HarborGuard: detection for this Critical-severity CVE is active across customer image registries and pipelines, with matching against affected Windows base image versions occurring within minutes of CVE publication. For environments with auto-remediation enabled, HarborGuard rebuilds affected images against the patched Windows versions, runs regression tests, and opens a pull request against impacted workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for those environments. Where compliance policy requires manual approval, the rebuilt image and associated test results are staged and waiting for review. Customers not yet able to apply the patch should consider isolating HTTP.sys-dependent workloads behind a network policy that restricts inbound HTTP access to trusted sources only, and should apply egress filtering to limit lateral movement in the event of a breach.
Fix available
- Microsoft / Windows 10 Version 1607< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows 10 Version 1809< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows 10 Version 21H2< 10.0.19044.7417 (from 10.0.19044.0)
- Microsoft / Windows 10 Version 22H2< 10.0.19045.7417 (from 10.0.19045.0)
- Microsoft / Windows 11 version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 23H2< 10.0.22631.7219 (from 10.0.22631.0)
- Microsoft / Windows 11 Version 24H2< 10.0.26100.8655 (from 10.0.26100.0)
- Microsoft / Windows 11 Version 25H2< 10.0.26200.8655 (from 10.0.26200.0)
- Microsoft / Windows 11 version 26H1< 10.0.28000.2269 (from 10.0.28000.0)
- Microsoft / Windows Server 2012< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 (Server Core installation)< 6.2.9200.26132 (from 6.2.9200.0)
- Microsoft / Windows Server 2012 R2< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2012 R2 (Server Core installation)< 6.3.9600.23228 (from 6.3.9600.0)
- Microsoft / Windows Server 2016< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2016 (Server Core installation)< 10.0.14393.9234 (from 10.0.14393.0)
- Microsoft / Windows Server 2019< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2019 (Server Core installation)< 10.0.17763.8880 (from 10.0.17763.0)
- Microsoft / Windows Server 2022< 10.0.20348.5256 (from 10.0.20348.0)
- Microsoft / Windows Server 2025< 10.0.26100.32995 (from 10.0.26100.0)
- Microsoft / Windows Server 2025 (Server Core installation)< 10.0.26100.32995 (from 10.0.26100.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C