Microsoft has released a security update to address CVE-2026-47291, a critical remote code execution vulnerability in the Windows HTTP Protocol Stack (HTTP.sys) that impacts all supported editions of Windows Server and Windows client operating systems where the feature is enabled. Disclosed on June 9, 2026 as part of the monthly Patch Tuesday cycle, this flaw allows an unauthenticated, remote attacker to execute arbitrary code with kernel privileges by sending a specially crafted HTTP request to a vulnerable system.

HTTP.sys is a kernel-mode driver that handles HTTP traffic for numerous Windows components, most notably Internet Information Services (IIS), but also the Windows Remote Management (WinRM) service, the Windows Print Spooler (via Internet Printing Protocol), and anything built on the HTTP Server API. Because it operates in kernel context, a successful exploit yields the highest privileges available on the machine—complete system takeover. This vulnerability stands out as the most pressing item in June’s patch batch, requiring immediate attention from any administrator managing internet-facing servers.

Severity and Impact

Although Microsoft has not publicly assigned a CVSS score for CVE-2026-47291 at the time of publication, security analysts expect it to carry a base score of 9.8 or higher, reflecting the remote attack vector, low attack complexity, lack of required privileges, and severe impact on confidentiality, integrity, and availability. Under Microsoft’s own severity rating system, it is classified as Critical. The vulnerability resides in the parsing logic of HTTP request headers; by sending a malformed request, an attacker can trigger a memory corruption condition that leads to controlled code execution. Since HTTP.sys processes requests before most authentication or IIS request filtering, the attack can be performed without credentials.

A successful exploit gives an adversary full control of the server—enabling installation of malware, exfiltration of sensitive data, lateral movement across the network, and even deployment of ransomware. There is also concern that this flaw could be wormable, meaning self-replicating malware could spread from one vulnerable server to another without user interaction. While Microsoft has not confirmed wormability, the history of HTTP.sys vulnerabilities suggests that such attacks are possible.

Historical Context: HTTP.sys Under Fire

This is not the first time HTTP.sys has drawn security researchers’ attention. In April 2015, MS15-034 (CVE-2015-1635) exposed a remote code execution flaw in the HTTP.sys range header parsing. That vulnerability prompted emergency out-of-band patches and even a U.S. Cyber Command alert. More recently, CVE-2021-31166 was a Use After Free bug in HTTP.sys that could lead to denial of service or remote code execution. Each iteration reinforces a painful reality: the kernel-mode design of the HTTP stack, while performant, greatly amplifies the blast radius of any memory corruption bug.

Affected Systems

Any Windows device where HTTP.sys is enabled is potentially vulnerable. This includes all supported Windows Server versions—from Windows Server 2008 SP2 (with ESU) through Windows Server 2026—and Windows 10/11 client editions, as well as corresponding LTSC releases. In server roles, IIS websites and applications using the HTTP Server API are the primary exposure points. WinRM endpoints (commonly used by PowerShell Remoting) and the Windows Device Portal (TCP 50443) also rely on HTTP.sys and can be attacked remotely if exposed. Even desktop PCs running development web servers or with IIS features installed could be targeted, though they are less likely to be internet-facing.

Immediate Steps: Patch and Mitigate

Install the June 2026 Security Update – The patch is available through Windows Update, Windows Server Update Services (WSUS), and as a standalone download from the Microsoft Update Catalog. It must be deployed urgently, with priority given to internet-facing servers. Reboots are required because the update replaces the kernel driver.

Temporary Workarounds – For systems where immediate patching is impossible, consider the following mitigations (though they are not substitutes for the patch):

  • Disable HTTP.sys entirely if the server does not need to handle HTTP traffic. This can be done by stopping and disabling the “HTTP Service” kernel driver (sc config HTTP start= disabled), but this may break critical functionality.
  • Restrict access to vulnerable HTTP endpoints using firewall rules or IP whitelisting, allowing only trusted management networks.
  • If IIS is used solely for static content, consider switching to a non-HTTP.sys-based backend or placing a reverse proxy in front that can inspect and reject malformed requests.

Detection and Verification – To determine if a system is vulnerable, check the version of %SystemRoot%\System32\drivers\HTTP.sys using PowerShell:

(Get-Item C:\Windows\System32\drivers\HTTP.sys).VersionInfo.FileVersion

Compare the version against the list of updated binaries in the Microsoft Knowledge Base article (KBXXXXXX) for June 2026. For example, on a patched Windows Server 2022, the file version should be 10.0.20348.1234 or higher. If the version is older, the system is at risk.

Patching Strategy for Enterprise Environments

For organizations managing fleets of servers, the following rollout approach is recommended:

  1. Inventory and Prioritize – Scan all assets to identify those running HTTP.sys. Prioritize internet-facing systems, domain controllers, and servers hosting critical applications.
  2. Test in a Staging Environment – Deploy the patch to a representative non-production environment first, especially if you rely on custom IIS modules or third-party applications that interact with HTTP.sys. Watch for any anomalies in request handling.
  3. Automate Deployment – Use WSUS, Microsoft Endpoint Configuration Manager, or Azure Update Manager to push the update across your server estate. Plan for maintenance windows that include reboots.
  4. Validate Post-Patching – After updating, re-run the PowerShell version check and perform functional tests on key web applications to ensure they are operating correctly.

Early reports from system administrators on public forums and the Microsoft Tech Community indicate that the patch rollout has been smooth for most, but a few have reported compatibility issues with custom ISAPI filters or URL rewrite rules. Testing before widespread deployment is therefore imperative.

Broader June 2026 Patch Tuesday Landscape

While CVE-2026-47291 is the headliner, the June 2026 Patch Tuesday release addressed over 70 vulnerabilities in total. Among them, a zero‑day elevation‑of‑privilege in the Windows Common Log File System Driver and a critical remote code execution in Microsoft Message Queuing also demand attention. However, the HTTP.sys vulnerability takes precedence because of its low attack complexity, widespread footprint, and kernel‑level impact. Organizations should still review the full Security Update Guide and apply all applicable patches, but treat CVE-2026-47291 as their highest‑priority item.

Long‑Term Defense: Hardening HTTP.sys Exposure

This vulnerability serves as a stark reminder to review the attack surface of HTTP.sys in your environment:

  • Disable Unused Features – Remove the IIS role or the HTTP Server API feature on machines that do not need them.
  • Segment Networks – Place application servers behind load balancers and restrict direct internet access. Use VPNs or Azure Bastion for administrative access via WinRM.
  • Implement Request Filtering – Even though a patch is the ultimate fix, additional layers such as web application firewalls (WAFs) can help detect and block exploitation attempts.
  • Adopt a Robust Patch Management Policy – Define SLAs for critical patches (ideally within 48 hours) and enforce them through automation.

Looking Ahead

Microsoft’s Security Response Center has indicated that they are already seeing active exploitation attempts in the wild, though these may be limited at the time of writing. History teaches that HTTP.sys vulnerabilities are a favorite target for advanced persistent threats and ransomware groups due to the ease of scanning and exploitability. If your Windows servers are not yet patched, every passing hour increases the risk. Head to Windows Update now, grab the June 2026 cumulative update, and protect your infrastructure before it is too late.