← back
CVE-2021-31166

HTTP Protocol Stack Remote Code Execution Vulnerability

CVSS 9.8 CRITICALEPSS 99.6%● KEVCWE-416
Vexday Risk Score
100Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 99.6%KEV simPoC públicaNuclei Metasploit simPatch
Lifecycle
11 May 2021Metasploit module available
11 May 2021Published on NVD
16 May 2021Public PoC
06 Apr 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A critical flaw in Windows' HTTP protocol stack allows attackers to execute arbitrary code remotely without authentication. This affects core Windows functionality used by many applications and services.

Technical detail

Use-after-free vulnerability (CWE-416) in the HTTP.sys kernel driver enables remote code execution via specially crafted HTTP requests; no authentication required, with direct kernel-level impact and system compromise.

Summary generated and translated by AI from the official description.
HTTP Protocol Stack Remote Code Execution Vulnerability
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Affected products
Microsoft · Windows 10 Version 2004Microsoft · Windows 10 Version 20H2Microsoft · Windows Server version 2004Microsoft · Windows Server version 20H2
public PoCs found11
githubgithub.com/0vercl0k/CVE-2021-31166827githubgithub.com/ZZ-SOCMAP/CVE-2021-3116619githubgithub.com/corelight/CVE-2021-3116612githubgithub.com/zha0gongz1/CVE-2021-311668githubgithub.com/0xmaximus/Home-Demolisher8githubgithub.com/y0g3sh-99/CVE-2021-31166-Exploit7githubgithub.com/zecopro/CVE-2021-311665githubgithub.com/mvlnetdev/CVE-2021-31166-detection-rules3githubgithub.com/iranzai/CVE-2021-31166-exploit2githubgithub.com/bgsilvait/WIn-CVE-2021-311660cve_referencepacketstormsecurity.com/files/162722/Microsoft-HTTP-Protocol-Stack-Remote-Code-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/162722/Microsoft-HTTP-Protocol-Stack-Remote-Code-Execution.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-31166