Security
CVE-2026-47291 HTTP.sys RCE (CVSS 9.8): no user interaction, Exploitation More Likely
- Category: Security
- Status: confirmed
- Sources: Threat-Modeling.com June Patch Tuesday, Windows Forum patch guide
- Summary: CVE-2026-47291 is a critical integer overflow in
http.sys, the Windows kernel-mode HTTP protocol stack used by IIS, Windows Remote Management, and other platform services. An unauthenticated remote attacker can trigger remote code execution by sending a crafted HTTP request with no user interaction. CVSS 9.8. Microsoft rates exploitation as "More Likely." Important exception: systems using the defaultMaxRequestBytesregistry value are not vulnerable; only hosts with non-default or elevated HTTP request size configurations are at risk. No public exploit or in-the-wild exploitation confirmed as of 2026-06-12. Patched in the June 2026 Windows cumulative update (KB5094126/KB5094125/KB5094128). - Why it matters: Windows servers running IIS or WinRM with non-default HTTP configuration should treat this as urgent; the "Exploitation More Likely" rating means a functional exploit is expected to appear.
- Follow-up: Watch for public exploit or active exploitation reports.