Windows HTTP.sys Integer Overflow Enables Unauthenticated RCE, "Exploitation More Likely" (CVE-2026-47291)

Scope: Windows Server (All Supported Versions Running IIS, WinRM, or Other HTTP.sys-Dependent Services)

Severity: Red

Also patched in the June 2026 Patch Tuesday cycle, CVE-2026-47291 (CVSS 9.8) is a critical integer overflow in HTTP.sys, the kernel-mode HTTP protocol stack underlying IIS, Windows Remote Management, and numerous other Windows services, allowing an unauthenticated remote attacker to execute arbitrary code by sending a single specially crafted packet to any server using the Windows HTTP stack, with Microsoft explicitly rating exploitation as "more likely." Critically, systems using the default MaxRequestBytes registry value (16384 bytes) are not affected by this specific flaw, meaning environments that have previously increased this value for performance or compatibility reasons are at elevated risk and should be checked first. Organizations must apply the June 2026 security update to all servers exposing HTTP.sys-dependent services immediately; where patching cannot happen immediately, verify the MaxRequestBytes registry value under HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters is at or below the safe default and restart the HTTP service, using Microsoft's provided PowerShell script to apply this interim mitigation.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.