CVE-2026-47291 Remote Code Execution in the Windows HTTP.sys#2491
Open
carlospolop wants to merge 1 commit into
Open
CVE-2026-47291 Remote Code Execution in the Windows HTTP.sys#2491carlospolop wants to merge 1 commit into
carlospolop wants to merge 1 commit into
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://thezdi.com/blog/2026/7/9/cve-2026-47291-remote-code-execution-in-the-windows-httpsys Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 80,443 - Pentesting Web > IIS / Windows HTTP.sys, with cross-reference to Binary Exploitation > Integer Overflow / Windows kernel exploitation". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
CVE-2026-47291 is a remote, unauthenticated vulnerability in the Windows HTTP protocol stack, implemented by the kernel-mode driver HTTP.sys. HTTP.sys is used by Microsoft IIS and by other Windows applications that register URL prefixes. It performs kernel-level HTTP request parsing, response caching, and SSL/TLS termination support, typically listening on TCP/80 for HTTP and TCP/443 for HTTPS. The vulnerability was patched by Microsoft in the June 2026<...
🔧 Technical Details
TLS record boundaries as a parser-state manipulation primitive: If a server-side parser receives decrypted TLS data per record instead of as a normalized byte stream, an attacker may be able to control internal receive-buffer boundaries by choosing TLS record boundaries. In this case, placing exactly one complete HTTP/1.x header line ending in
CRLFinside each TLS application data record causes SChannel to deliver each line to HTTP.sys as a separate plaintext buffer. If the protocol parser fully consumes each buffer and avoids its partial-parse or merge path, the attacker obtains a near 1:1 relationship between TLS records and internal metadata entries.Exploiting unchecked growth of arrays with narrow capacity fields: A dangerous memory-management pattern appears when an array's
capacityis stored in a small integer type, while the copy size is derived from a larger or independently increasingcount. If ...🤖 Agent Actions
Done.
Updated:
src/network-services-pentesting/pentesting-web/iis-internet-information-services.mdAdded:
I kept the change in a single file to avoid duplication.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.