Skip to content

CVE-2026-47291 Remote Code Execution in the Windows HTTP.sys#2491

Open
carlospolop wants to merge 1 commit into
masterfrom
update_CVE-2026-47291_Remote_Code_Execution_in_the_Wind_e5668049e60cd90e
Open

CVE-2026-47291 Remote Code Execution in the Windows HTTP.sys#2491
carlospolop wants to merge 1 commit into
masterfrom
update_CVE-2026-47291_Remote_Code_Execution_in_the_Wind_e5668049e60cd90e

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

CVE-2026-47291 is a remote, unauthenticated vulnerability in the Windows HTTP protocol stack, implemented by the kernel-mode driver HTTP.sys. HTTP.sys is used by Microsoft IIS and by other Windows applications that register URL prefixes. It performs kernel-level HTTP request parsing, response caching, and SSL/TLS termination support, typically listening on TCP/80 for HTTP and TCP/443 for HTTPS. The vulnerability was patched by Microsoft in the June 2026<...

🔧 Technical Details

TLS record boundaries as a parser-state manipulation primitive: If a server-side parser receives decrypted TLS data per record instead of as a normalized byte stream, an attacker may be able to control internal receive-buffer boundaries by choosing TLS record boundaries. In this case, placing exactly one complete HTTP/1.x header line ending in CRLF inside each TLS application data record causes SChannel to deliver each line to HTTP.sys as a separate plaintext buffer. If the protocol parser fully consumes each buffer and avoids its partial-parse or merge path, the attacker obtains a near 1:1 relationship between TLS records and internal metadata entries.

Exploiting unchecked growth of arrays with narrow capacity fields: A dangerous memory-management pattern appears when an array's capacity is stored in a small integer type, while the copy size is derived from a larger or independently increasing count. If ...

🤖 Agent Actions

Done.

Updated:

  • src/network-services-pentesting/pentesting-web/iis-internet-information-services.md

Added:

I kept the change in a single file to avoid duplication.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://thezdi.com/blog/2026/7/9/cve-2026-47291-remote-code-execution-in-the-windows-httpsys

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 80,443 - Pentesting Web > IIS / Windows HTTP.sys, with cross-reference to Binary Exploitation > Integer Overflow / Windows kernel exploitation".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant