VULNERABILITY OVERVIEW
An integer overflow (CWE-190) in the Windows HTTP.sys kernel-mode driver allows a remote, unauthenticated attacker to execute arbitrary code on systems with a non-default MaxRequestBytes registry configuration by sending a specially crafted HTTP request. Microsoft rates this 'Exploitation More Likely' — a stronger signal than the co-disclosed Kernel RCE — making it a priority target for internet-facing IIS and WinRM servers. No public exploit exists yet, but a registry workaround (enforcing default MaxRequestBytes) is available as an interim control while patching.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
Windows 10, Windows 11, Windows Server 2016/2019/2022/2025 (all versions) using non-default MaxRequestBytes registry values; systems at default MaxRequestBytes are not affected; fixed in June 2026 Patch TuesdayCITATIONS
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291
- → https://www.zerodayinitiative.com/blog/2026/6/9/the-june-2026-security-update-review
- → https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-6-zero-days-200-flaws/
- → https://threat-modeling.com/microsoft-june-2026-patch-tuesday-critical-cves/