HTTP.sys CVE-2026-47291: NC SMB IIS Server Defense

TL;DR: Microsoft's June 9, 2026 Patch Tuesday includes a fix for CVE-2026-47291, an integer-overflow remote-code-execution flaw in the Windows HTTP Protocol Stack (CVSS 9.8). An unauthenticated attacker can send an oversized HTTP request to any Windows host listening on HTTP or HTTPS — IIS, WinRM, Remote Desktop Services Gateway, Print Spooler over HTTP, custom .NET apps — and execute code in kernel mode with SYSTEM privileges. For NC SMBs running an intranet app, a public-facing IIS site, a SharePoint server, or an RDS Gateway, every unpatched HTTP listener is a one-packet-away kernel shell.

Key takeaway: HTTP.sys is the kernel driver that handles every HTTP request on Windows before any web application sees it. A bug there bypasses your WAF rules, your application logic, and your user authentication. Patch in 7 days for internet-exposed hosts, 14 days for internal hosts, and apply the MaxRequestBytes registry mitigation as an interim guardrail.

Worried about your internet-facing IIS server, RDS Gateway, or SharePoint farm? Preferred Data Corporation runs managed patch deployment, server hardening, and IIS / RDS security baselines for NC small businesses. Call (336) 886-3282 or request a server defense review.

What is CVE-2026-47291 and why is it a kernel-mode emergency?

It is an integer-overflow bug in http.sys, the Windows kernel-mode driver that parses every inbound HTTP request before the request ever reaches IIS, Kestrel, WinRM, or any other consumer. Per the Microsoft Security Update Guide entry for CVE-2026-47291, the NVD detail page, and The Hacker News' coverage, the exploit chain is:

Attacker sends an HTTP or HTTPS request with a header field whose length exceeds 65,535 bytes to any Windows host listening on HTTP.
The request-parsing logic in http.sys performs arithmetic on the length value that wraps around (integer overflow).
A subsequent allocation undersizes the buffer, producing a heap overflow in kernel memory.
Carefully crafted overflow contents land attacker-controlled code in kernel context.
The attacker now has SYSTEM privileges with no user, no application, and no authentication boundary above them.

Three reasons NC small businesses are uniquely exposed:

HTTP.sys runs on more services than IIS. Per Microsoft's HTTP.sys documentation and the Talos Intelligence June 2026 Patch Tuesday analysis, HTTP.sys also fronts WinRM (port 5985/5986), RDS Gateway, WSUS, Exchange OWA, SharePoint, Print Spooler over HTTP, and any .NET app that uses the HTTP listener API. Most SMBs do not know they have HTTP.sys exposed.
Kernel-mode RCE is the worst case. Per Bleeping Computer's coverage of the June 2026 release, a successful exploit hands the attacker SYSTEM with no privilege boundary above. EDR agents that run in user mode have limited ability to detect or interfere with kernel-context exploitation.
Every Windows version is in scope. Per the NVD record, Windows 10 (1607 and later), Windows 11 (all supported builds), and Windows Server 2012 through 2025 are affected. For NC SMBs running a mix of Server 2016, 2019, 2022, and 2025, every one is in scope.

For a Charlotte professional-services firm running a SharePoint farm, a High Point manufacturer with a customer-facing IIS portal, or a Greensboro distributor running RDS Gateway for remote sales reps, CVE-2026-47291 is a 7-day patch for anything internet-facing.

Which services on a typical NC SMB Windows server use HTTP.sys?

More than most administrators realize. Per Microsoft's HTTP.sys / HSTS documentation and the Zero Day Initiative June 2026 review, the common SMB Windows roles that bind to HTTP.sys are:

IIS web server. Any IIS site, including small intranet apps, customer portals, line-of-business .NET apps, file-share gateways.
WinRM (Windows Remote Management). PowerShell remoting endpoint, default ports 5985 (HTTP) / 5986 (HTTPS). Common on every domain-joined Windows Server.
Remote Desktop Services Gateway. The HTTP front-end that lets remote users tunnel RDP over HTTPS.
SharePoint, Exchange OWA, ECP. All front-ended by IIS / HTTP.sys.
WSUS. Patch distribution server — ironic but real.
Print Spooler over HTTP / IPP. Where enabled, prints over HTTP listener.
Custom .NET apps using HttpListener. Any in-house dev that binds to a URL prefix uses HTTP.sys.

Service	Default port	Internet-exposed risk	Internal LAN risk
IIS / customer portal	80 / 443	Critical — patch in 7 days	Critical — patch in 14 days
RDS Gateway	443	Critical — patch in 7 days	High
WinRM	5985 / 5986	Should not be internet-exposed	Critical — patch in 14 days
WSUS	8530 / 8531	Should not be internet-exposed	High
SharePoint / Exchange OWA	443	Critical — patch in 7 days	Critical
Custom .NET HttpListener	Varies	Audit and patch	Audit and patch

What is the MaxRequestBytes mitigation and when does it help?

It is a registry-level cap on the size of HTTP request headers that HTTP.sys will accept. Per the Microsoft Security Update Guide entry for CVE-2026-47291, the Windows Forum technical write-up, and IONIX's threat-center analysis, systems running the default MaxRequestBytes value are not exposed to the published exploit path because the oversized request is rejected before the vulnerable integer-overflow path executes.

The registry path:

HKLM\System\CurrentControlSet\Services\HTTP\Parameters\MaxRequestBytes

The mitigation logic:

If MaxRequestBytes is at the Windows default (16384 or system default for the build), HTTP.sys rejects the >65,535-byte request before the overflow path runs.
If a custom value has been set higher than 65,535 — common for SharePoint farms, large .NET apps, or legacy line-of-business apps that pass big SAML tokens or large Kerberos PAC blobs in headers — the system is exposed.
The patch is the durable fix; the registry value is an interim guardrail while patches are tested and staged.

Quotable definition: CVE-2026-47291 is an integer-overflow in Windows HTTP.sys that lets an unauthenticated attacker send an oversized HTTP header to any Windows host listening on HTTP and execute code in kernel mode as SYSTEM. No credentials, no user click, no application bug required — only an open TCP port and an unpatched build.

Need someone to inventory every HTTP listener on your Windows fleet by Friday? Call (336) 886-3282 or book a server defense review.

What should an NC small business do in the next 14 days?

Run a four-step plan that patches internet-facing first, then internal, with a temporary registry guardrail. The plan:

Inventory every HTTP listener (day 1-3). Use netsh http show servicestate on every Windows Server to enumerate every URL prefix bound to HTTP.sys. Per Microsoft's documentation, this lists every IIS site, WinRM listener, RDS Gateway, custom .NET HttpListener, and Print Spooler IPP binding on the system. Tag by exposure: public-facing, DMZ, internal LAN, isolated.
Patch internet-facing hosts in 7 days, internal hosts in 14 days (day 1-14). Push the June 9, 2026 cumulative update via Intune, WSUS, or RMM. Verify build numbers against Microsoft's release notes. Restart hosts to load the patched http.sys.
Apply the MaxRequestBytes guardrail (day 1-3). For any system that cannot be patched immediately because of change-control windows, verify MaxRequestBytes is at the default. If a custom higher value is required for SharePoint or a legacy app, document the exposure and prioritize patching.
Audit and restrict exposure (day 3-14). WinRM should never be reachable from the internet. RDS Gateway should sit behind MFA. Customer portals belong on a WAF. Print Spooler over HTTP should be disabled where not required.

Key takeaway: Patch + listener inventory + MaxRequestBytes guardrail + exposure audit = a defensible answer to CVE-2026-47291. Any one of those four missing leaves the SMB exposed to the next HTTP.sys variant too.

How does Preferred Data Corporation help close CVE-2026-47291 for NC SMBs?

PDC has run managed Windows fleets, IIS hardening, and RDS Gateway deployments for NC small businesses since 1987. We bring four things to the CVE-2026-47291 response:

Managed cybersecurity services: Inventory HTTP listeners with netsh, push the June 9, 2026 cumulative update, verify build numbers, apply MaxRequestBytes guardrail, document evidence for CMMC and cyber insurance.
Network infrastructure and firewall management: Validate that WinRM, WSUS, and Print Spooler are not internet-exposed, sit RDS Gateway behind MFA, position customer-facing IIS sites behind a WAF.
Managed IT services: Day-to-day server, Active Directory, and patch-cycle administration with documented change windows for SMB environments where downtime is expensive.
Cybersecurity assessments: CMMC and NIST SP 800-171 control mapping for flaw remediation, gap analysis against 7-day / 14-day patching cadence, evidence preparation for assessors and cyber insurance renewal.

For NC manufacturers in High Point and the Piedmont Triad with shop-floor MES portals, NC distributors in Greensboro and Winston-Salem with customer order portals, and NC professional services firms in Charlotte and Raleigh with SharePoint or RDS Gateway, the CVE-2026-47291 response is a managed-program task, not a one-time patch.

Ready to lock down your NC Windows servers against CVE-2026-47291? Call (336) 886-3282 or book a server defense review.

Frequently Asked Questions

Is CVE-2026-47291 actively exploited in the wild?

As of late June 2026, Microsoft has placed CVE-2026-47291 on its "exploitation more likely" list but has not confirmed in-the-wild attacks. Per Windows Forum's analysis and IONIX's threat-center entry, no public proof-of-concept code has been released yet, but historical patterns suggest PoC within weeks for unauthenticated network RCE flaws.

Does this affect Linux servers?

No. HTTP.sys is a Windows kernel driver. Linux-based web servers (Apache, Nginx, Caddy) are not affected by CVE-2026-47291. Cross-platform .NET apps running on Linux via Kestrel are unaffected because Kestrel does not use HTTP.sys outside of Windows.

Can our WAF block the exploit?

A WAF that inspects HTTP request sizes and rejects requests with header fields larger than 65,535 bytes provides defense-in-depth, but is not a substitute for the patch. Per Talos Intelligence's June 2026 Patch Tuesday Snort rule release, IDS signatures and WAF rules complement, but do not replace, kernel-level patching.

What about Server 2012 R2 — is it still supported?

Server 2012 / 2012 R2 reached end of extended support in October 2023. Per Microsoft's lifecycle policy, patches for those builds ship only through paid Extended Security Updates (ESU). Any NC SMB still on Server 2012 should plan migration as part of the CVE-2026-47291 response.

Does this affect Azure-hosted IIS workloads?

Azure VMs running Windows Server are responsible for their own OS patching under the shared-responsibility model. PaaS services like Azure App Service are patched by Microsoft on the platform side, but customer-managed Azure VMs are in scope for CVE-2026-47291 and need the June 9, 2026 cumulative update.

Will the patch affect SharePoint or legacy line-of-business apps?

Per Microsoft's release notes, the patch corrects the integer-overflow path without changing the published HTTP.sys API surface. SharePoint and legacy apps that rely on standard HTTP request handling should be unaffected. Apps that depend on accepting >65,535-byte header fields should be tested in a staging environment before production deployment.

Managed Cybersecurity Services for NC Businesses - Patch deployment, server hardening, IIS / RDS security baselines
Network Infrastructure Design and Management - Firewall policy, WAF deployment, internet-exposure audit
Managed IT Services for NC Businesses - Day-to-day Windows server administration
Microsoft June 2026 Patch Tuesday: 200 CVEs and 3 Zero-Days - Companion overview of the full release
HTTP/2 Bomb CVE-2026-49160 IIS DoS NC SMB Defense - Companion IIS-focused June 2026 advisory
Contact Preferred Data Corporation - Server defense review for NC SMBs