Microsoft’s June 2026 Patch Tuesday fixed one of the nastiest Windows bugs of the year. CVE-2026-47291 lives in HTTP.sys, the kernel-mode driver that handles HTTP traffic on Windows. Because that code runs in the kernel and sits underneath IIS, WinRM, WCF and almost anything that listens for HTTP requests, a bug here has a very wide blast radius.
What actually happens
HTTP.sys computes the total size of an incoming request using 16-bit arithmetic. When a request’s header block reaches or exceeds 65,535 bytes, that calculation overflows (CWE-190, integer overflow) and wraps around to a small value. The driver then allocates a kernel heap buffer much smaller than the data it is about to copy, and writes past the end of it. The result is a heap buffer overflow in kernel memory.
A remote attacker can trigger this without authenticating and without any user interaction by sending a carefully crafted HTTP request. In the worst case it leads to code execution with kernel privileges, meaning full control of the machine. The advisory rates it CVSS 9.8.
Who is affected
The driver ships across the supported Windows lineup: Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (23H2, 24H2, 25H2, 26H1) and Windows Server 2012, 2012 R2, 2016, 2019, 2022 and 2025, including Server Core installs. Any service built on HTTP.sys (IIS, WinRM, WCF, your own web services) is in scope.
There is one detail that changes the picture a lot. The overflow triggers at 65,535 bytes, but the default request limit Windows ships with is MaxRequestBytes = 16,384. With that default a request never gets large enough to cause the overflow. Only systems where someone manually raised MaxRequestBytes above 65,535 are exploitable, something admins sometimes do to accept large headers (bulky Kerberos tokens, certain authentication flows). At disclosure there was no evidence of exploitation in the wild.
How to protect yourself
First, install Microsoft’s June 2026 security update for your Windows version. That removes the root cause.
If you can’t patch right away, check this registry key:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\MaxRequestBytesIf the value is above 65,535, drop it below that number and restart the HTTP service. If the key doesn’t exist or still holds the default, you don’t need to touch anything: your system isn’t in the exploitable range. Even so, patch as soon as you can, because the registry mitigation only closes the known entry point and doesn’t fix the underlying bug.
This wasn’t the only critical 9.8 RCE in that batch. The June 2026 Patch Tuesday was Microsoft’s largest ever, with around 200 CVEs and several zero-days, so applying the full set beats cherry-picking this single fix. If you run Windows servers in production, this is one to put near the top of the list.