Microsoft’s latest security advisory warns of a high-severity elevation of privilege vulnerability in the Windows HTTP protocol stack, known as HTTP.sys, that could allow an attacker to gain full SYSTEM-level access on an affected machine. Tracked as CVE-2026-21240, the flaw affects all supported versions of Windows and Windows Server and has been rated with a CVSS score of 7.5, indicating significant risk — especially for Internet-facing systems.

What is HTTP.sys and Why Should You Care?

HTTP.sys is a kernel-mode driver that handles HTTP traffic for several critical Windows components. It receives and processes HTTP requests before passing them on to Internet Information Services (IIS), the Windows HTTP Server API, and various built-in management endpoints. Because it runs at the highest privilege level — the kernel — any bug in this driver that allows memory corruption or logic abuse can be directly exploited to take complete control of the operating system.

This isn’t just an IIS problem. While IIS is the most visible user of HTTP.sys, many internal Windows services and third-party applications rely on the driver to listen for web traffic. Print servers, Windows Admin Center, Exchange Server, and even some development frameworks depend on it. That broad footprint means a vulnerability in HTTP.sys can cast a wide net across an organization’s entire server infrastructure.

What Exactly Is the Vulnerability?

According to Microsoft’s Security Update Guide, CVE-2026-21240 is an elevation of privilege vulnerability in HTTP.sys. Public vulnerability databases, including the NVD, rate it with a CVSS v3.1 score of 7.5 (High), with the following key characteristics:

  • Attack vector: Network (AV:N) — meaning it can be exploited remotely over HTTP.
  • Privileges required: Low (PR:L) — a standard user account or a low-privileged process on the system is enough to trigger the flaw.
  • User interaction: None (UI:N) — the attack does not require any action from a logged-in user.
  • Impact: Elevation of privilege — successful exploitation grants the attacker SYSTEM-level access.

Microsoft’s advisory is intentionally concise, withholding precise exploit mechanics to give defenders a head start before attackers can develop working exploits. However, security researchers who regularly monitor Windows kernel patches have already started analyzing the fix to infer the root cause. Although no public proof-of-concept code has emerged yet, the combination of a network attack vector and low privilege requirements makes this vulnerability a prime candidate for weaponization once details become public.

How Serious Is the Threat?

For businesses running Internet-facing IIS servers or any system where HTTP.sys is exposed to untrusted networks, this is an emergency-patch situation. An attacker who can send a specially crafted HTTP request to a vulnerable server could potentially escalate from a limited foothold — perhaps a low-privileged web application compromise — to owning the entire machine. In a cloud or hybrid environment, that single compromised server could become a beachhead for lateral movement.

Even for internal servers not directly reachable from the internet, risk remains high. Many enterprise environments expose HTTP.sys-based management consoles (like Windows Admin Center) on internal networks. A malicious insider or an attacker who has already breached a workstation could use this elevation primitive to move to a more valuable server. Past HTTP.sys vulnerabilities, such as MS15-034 (a remote code execution flaw patched in 2015) and CVE-2021-31166 (a denial-of-service bug targeted in attacks), demonstrate just how quickly these bugs can go from advisory to active exploitation.

What Systems Are Affected?

While Microsoft has not published an exhaustive list of affected Windows builds in the initial advisory, both historical patterns and the nature of the component suggest that all current Windows client and server editions with HTTP.sys enabled are vulnerable. This includes:

  • Windows Server 2016, 2019, 2022, and future versions
  • Windows 10 and Windows 11 (any edition)
  • Windows Server Core installations with the IIS role or HTTP Server API enabled

Because HTTP.sys is part of the base Windows kernel, it is present even on systems where IIS is not installed. The mere existence of the driver, however, does not automatically mean a system is exploitable; an attacker must be able to interact with the HTTP listener. But administrators should assume any machine that runs a service bound to port 80, 443, or any custom port using the HTTP Server API is at risk.

What Should You Do Right Now?

1. Apply the Patch Immediately

The only certain mitigation is to install the security updates released by Microsoft. For most enterprises, this means downloading the cumulative update that corresponds to CVE-2026-21240 and deploying it through your standard patch management infrastructure (WSUS, ConfigMgr, Intune, or third-party tools). Microsoft typically releases these fixes on Patch Tuesday, but urgent out-of-band updates are not unprecedented for HTTP.sys flaws.

Key actions:
- Identify the exact KB number for your Windows build from Microsoft’s Security Update Guide.
- Prioritize patching Internet-facing servers first, then internal high-value assets, and finally workstations.
- Pilot the update on a small representative set of hosts before wide rollout to test for compatibility issues.

2. Reduce Exposure While You Patch

If you cannot immediately patch all systems, take these temporary measures to limit attack surface:

  • Block external access: Use perimeter firewalls to block inbound HTTP/S traffic to any IIS server or custom web service that does not need to be reachable from the internet.
  • Disable unnecessary HTTP.sys listeners: Stop any non-essential services that depend on the HTTP Server API. For IIS, consider unbinding websites that are not in active use.
  • Insert a reverse proxy or WAF: Place Internet-facing applications behind a web application firewall that can filter unusual or malformed HTTP requests until patches are applied.

3. Harden Server Configuration

  • Remove unused IIS modules to reduce the code that parses incoming requests.
  • Disable HTTP features like HTTP/2 or trailer support if they are not required for your applications and Microsoft confirms this reduces risk for the specific CVE.
  • Apply strict request size limits at the WAF or proxy level to make exploitation more difficult.

4. Strengthen Detection and Monitoring

Set up enhanced logging and alerts to catch exploitation attempts before they succeed:

  • Monitor Windows Event Logs for crashes in HTTP.sys (watch for Blue Screen errors referencing http.sys).
  • Correlate crash dumps with inbound web requests — a sudden spike in crashes after a new HTTP pattern could indicate probing.
  • Watch for unexpected child processes spawning under IIS worker processes or services that host the HTTP stack, as these could be signs of successful privilege escalation.
  • Use network intrusion detection to flag malformed HTTP requests (unusual header lengths, repeated abnormal sequences).

Home and Small Business Users

If you are running Windows 10 or 11 at home, the risk is significantly lower since you likely do not have an Internet-accessible web server. However, if you host any application that listens on an HTTP port (e.g., a development environment, a personal media server), you should still install the update immediately. Enable automatic updates to ensure you receive the patch without delay.

The Bigger Picture: A History of HTTP.sys Vulnerabilities

HTTP.sys has been a favored target for both vulnerability researchers and real-world attackers because of its kernel-mode power and widespread deployment. In 2015, MS15-034 (CVE-2015-1635) exploited an integer overflow in HTTP.sys parsing to achieve remote code execution on unpatched IIS servers — a flaw that was quickly weaponized into mass-scanning tools. Since then, Microsoft has patched at least a dozen critical or high-severity HTTP.sys bugs, including several that were exploited in the wild.

This history matters for two reasons:

  1. Patch timelines are shrinking. Once a patch is released, attackers reverse-engineer the fix to create exploits within days, not weeks. Delaying deployment is the leading cause of compromise after an advisory.
  2. Attack chaining is common. An elevation of privilege like CVE-2026-21240 is often the final link in a kill chain, turning a minor code-execution flaw into a full system takeover. Organizations that have already suffered other breaches may find this vulnerability weaponized against them retroactively.

Looking Ahead

Microsoft’s terse disclosure is a calculated move to give defenders a head start, but the community expects more detailed technical write-ups to appear from security researchers within the next week. If a proof-of-concept exploit surfaces, the urgency of patching will shift from high to critical. The US Cybersecurity and Infrastructure Security Agency (CISA) is likely to add this CVE to its Known Exploited Vulnerabilities catalog if active exploitation is confirmed, which would trigger binding operational directives for federal agencies — and set a strong example for the private sector.

In the meantime, the best defense is to treat CVE-2026-21240 as though a working exploit is imminent. The patch is the only true fix; all other measures buy time. System administrators should aim to have all Internet-facing and critical internal servers updated within 72 hours, and all other systems within two weeks. After patching, continue to monitor for any signs of residual compromise — attackers who gained access before the fix may still be present on the network.

For the latest official guidance, consult Microsoft’s Security Update Guide entry for CVE-2026-21240. The security landscape never stops evolving, but with prompt action and layered defenses, you can keep your Windows environment safe from this latest kernel-level threat.