• Category: Security
  • Status: confirmed
  • Sources: Threat-Modeling.com June Patch Tuesday, Windows Forum patch guide
  • Summary: CVE-2026-47291 is a critical integer overflow in http.sys, the Windows kernel-mode HTTP protocol stack used by IIS, Windows Remote Management, and other platform services. An unauthenticated remote attacker can trigger remote code execution by sending a crafted HTTP request with no user interaction. CVSS 9.8. Microsoft rates exploitation as "More Likely." Important exception: systems using the default MaxRequestBytes registry value are not vulnerable; only hosts with non-default or elevated HTTP request size configurations are at risk. No public exploit or in-the-wild exploitation confirmed as of 2026-06-12. Patched in the June 2026 Windows cumulative update (KB5094126/KB5094125/KB5094128).
  • Why it matters: Windows servers running IIS or WinRM with non-default HTTP configuration should treat this as urgent; the "Exploitation More Likely" rating means a functional exploit is expected to appear.
  • Follow-up: Watch for public exploit or active exploitation reports.

Send feedback on this story