External risk intelligence

Windows HTTP.sys Integer Overflow Allows Network Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-47291

An integer overflow in Windows HTTP.sys, a critical network request handler, allows remote, unauthorized code execution. This vulnerability impacts a core service for internet traffic and could compromise system integrity and confidentiality.

5Halo Surface Signal

Integer Overflow

Microsoft Windows 10 1607

before 10.0.14393.9234before 10.0.17763.8880before 10.0.19044.7417before 10.0.19045.7417before 10.0.22631.7219before 10.0.26100.8655before 10.0.26200.8655before 10.0.28000.2269r2b...

External exposure likelihood

Halo Surface Signal score for CVE-2026-47291

Windows HTTP.sys is the core kernel-mode driver for handling HTTP requests in Windows. It serves as the primary internet-facing listener for IIS, web applications, and various network services, making it inherently exposed to public internet traffic by design in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-47291

Yes

CVE-2026-47291 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Windows HTTP.sys allows remote code execution, which would likely cause a PCI ASV scan to fail and requires remediation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

An integer overflow vulnerability in Windows HTTP.sys, a core component for handling network requests, could allow an unauthorized attacker to execute code remotely. This issue affects a fundamental service that manages internet traffic for various Windows applications and services.

Remote attackers could execute code over the network.
This affects core Windows internet request handling.
Confirm relevance and exposure for Windows systems.

Attack Path

How an attacker could exploit the issue

An attacker could reach and trigger this vulnerability by sending specially crafted network traffic to a vulnerable Windows system. This traffic targets the HTTP.sys kernel driver, which handles incoming HTTP requests. An integer overflow or wraparound within this driver can then be exploited to achieve code execution.

No special access required.
Triggered by network traffic.
Enables remote code execution.

Live Threat

Current exploitation, exposure, and threat context

An integer overflow vulnerability in Windows HTTP.sys could allow an unauthenticated attacker to execute code remotely over a network when supported by the advisory. This could potentially affect system integrity and confidentiality.

System integrity and confidentiality.
Network code execution.
Unauthorized code execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Windows HTTP.sys is a core component for network services, making this vulnerability a high-priority concern for infrastructure and platform teams. The first practical step is to identify all instances of Windows servers running HTTP.sys, assess their network exposure, and determine business criticality. Once identified, engage the accountable system owner to plan for remediation, considering vendor coordination and scheduled maintenance windows.

Infrastructure and platform teams own this.
Verify network exposure and business criticality.
Plan remediation with accountable system owners.

Frequently asked questions

What is Windows HTTP.sys?

Windows HTTP.sys is a critical kernel-mode driver that acts as the foundational listener for HTTP requests. It handles incoming network traffic for Internet Information Services (IIS), web applications, and various other services, operating deep within the Windows operating system to ensure network communication is processed efficiently before reaching higher-level software.

What does integer overflow mean for CVE-2026-47291?

An integer overflow (CWE-190) occurs when a calculation produces a value too large for the system to store, causing it to wrap around to a smaller number. In the context of CVE-2026-47291, this unexpected result can confuse the software's memory management, potentially leading to unauthorized code execution. It is a fundamental programming error rather than a logical oversight.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by sending specially crafted network traffic directed at the HTTP.sys driver. Because this driver processes requests at a low level, the bug does not require user interaction or valid credentials to activate. However, standard, non-malicious web traffic that conforms to expected packet parameters does not trigger this overflow.

Is my system at risk?

According to Halo Surface Signal, this vulnerability is particularly relevant to systems with internet-facing interfaces. Since HTTP.sys is the primary listener for web services, any server exposed to the public internet is at a higher risk level. Internal systems are generally less exposed, but they remain part of the broader attack surface if they accept network connections.

What should I do to respond to this threat?

Start by identifying all Windows servers within your environment that utilize HTTP.sys. Prioritize these assets based on their network accessibility and their criticality to your business operations. Once you have a clear inventory, coordinate with your infrastructure teams to schedule necessary updates or configuration changes through your established maintenance processes.

References

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.