By ByteBot
Microsoft’s June 2026 Patch Tuesday set an all-time record at 206 CVEs, and the three zero-days grabbed every headline. That worked out nicely for CVE-2026-47291 — a 9.8 CVSS integer overflow in Windows HTTP.sys that Microsoft quietly flagged “Exploitation More Likely.” It is not a zero-day, which is exactly why you should treat it as your top patch priority right now.
What HTTP.sys Is and Why This Matters
HTTP.sys is Windows’ kernel-mode HTTP driver. It sits beneath IIS, Windows Remote Management (WinRM), Windows Admin Center, and any .NET application using HttpListener on Windows. When HTTP.sys has a vulnerability, it is not an application-layer problem — it is a kernel-level problem affecting every service riding on the Windows HTTP stack.
CVE-2026-47291 is an integer overflow in HTTP.sys triggered by crafted HTTP requests. An attacker who can reach your server over the network can send a malformed request that causes the integer to wraparound, resulting in arbitrary code execution at the kernel level. No authentication. No user interaction. Full SYSTEM access on a successful exploit.
Are You Actually Affected?
Here is the nuance the headlines missed: systems running the default MaxRequestBytes value of 16,384 bytes are not affected. The integer overflow only triggers when this registry value has been raised significantly above the default. Run this PowerShell command to check your current value:
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" -Name MaxRequestBytes -ErrorAction SilentlyContinueIf the command returns nothing or returns 16384, you are at the default and this specific overflow path is not reachable. If it returns a value above 65,534, your server is in the vulnerable range. Many enterprises raise this limit for legitimate reasons — large API headers, custom authentication tokens, applications that embed data in request headers. Check before assuming either way.
Why “Exploitation More Likely” Is Not a Throwaway Tag
Microsoft assigns “Exploitation More Likely” when internal data indicates threat actors are actively developing exploit tooling — not just that exploitation is theoretically possible. Combined with the vulnerability’s unauthenticated, network-accessible, kernel-execution profile, this is the classification you take seriously.
The historical parallel is uncomfortable. CVE-2015-1635 (MS15-034) was another HTTP.sys RCE — remote, unauthenticated, kernel-mode. Proof-of-concept code appeared within 24 hours of that patch. The June 2026 patch cycle’s 206-CVE noise gives threat actors a natural cover: security teams are triaging dozens of critical updates simultaneously, and a non-zero-day with CVSS 9.8 gets buried. That is the environment CVE-2026-47291 launched into.
Fix It: Patch or Mitigate Now
Option A — Apply the patch (preferred): Install the June 9, 2026 security updates for your Windows version. For Windows Server 2025, that is KB5094125. For Windows Server 2022, it is KB5094128. The Microsoft Security Response Center advisory covers the complete list of affected versions from Windows 10 through Windows Server 2025, including Server Core installations.
Option B — Registry mitigation while you test: If you need time to validate the patch in staging before rolling to production, reset MaxRequestBytes to the safe default:
$path = "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters"
New-ItemProperty -Path $path -Name MaxRequestBytes -PropertyType DWORD -Value 16384 -ForceOne warning: setting MaxRequestBytes to 16,384 will cause HTTP.sys to reject requests larger than 16 KB. If your applications send large headers or body payloads, test this mitigation before applying in production. A broken application is a different kind of outage.
Do Not Forget WinRM
If you disabled IIS but still use WinRM for PowerShell remoting, Azure Arc, or remote server management, you are still running HTTP.sys. WinRM listens on ports 5985 and 5986 through the same HTTP.sys driver. The patch covers both surfaces. Audit all Windows Server endpoints — not just your web servers.
Patch Now
The Zero Day Initiative’s June 2026 review gives CVE-2026-47291 its highest priority classification despite it not being one of the three zero-days — that should tell you how the security research community reads this one relative to the headline CVEs. The 206-CVE record and the zero-day coverage gave this vulnerability the cover it needed to slip past most security teams’ first triage pass. Do not let it slip past yours. ByteIota covered the HTTP/2 Bomb from the same Patch Tuesday — CVE-2026-47291 is the higher-severity partner that deserves equal urgency.
