Microsoft Patches High-Risk Windows HTTP.sys Privilege Escalation Vulnerability (CVE-2026-20929)

CyberDefender 6 mins0

CVE-2026-20929 is a high-impact elevation of privilege vulnerability affecting the HTTP.sys kernel driver in Microsoft Windows.
The flaw allows an attacker with network access and basic authentication to elevate privileges to NT AUTHORITY\SYSTEM by abusing improper access control in the HTTP request handling path.

Because HTTP.sys operates in kernel mode, successful exploitation results in full system compromise, bypassing most user-mode security controls.

Affected Component: HTTP.sys

HTTP.sys is a kernel-mode driver responsible for:

  • Handling HTTP(S) requests
  • Serving IIS and other Windows HTTP-based services
  • Managing request queues and URL ACLs
  • Enforcing access checks before requests reach user-mode services

The vulnerability stems from incorrect authorization checks when processing specially crafted HTTP requests, allowing unauthorized interaction with privileged request queues.

Vulnerability Class

  • Type: Elevation of Privilege
  • Root Cause: Improper access control
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None

This is not a memory corruption bug. It is a logic flaw in how HTTP.sys validates access rights under specific request conditions.

Technical Root Cause

Under certain conditions, HTTP.sys fails to correctly validate:

  • Request queue ownership
  • Security context of the requester
  • URL namespace permissions

An attacker can craft HTTP requests that:

  1. Reach HTTP.sys directly
  2. Bypass intended ACL enforcement
  3. Trigger privileged kernel operations
  4. Execute actions in a SYSTEM context

Because the checks happen inside the kernel, traditional user-mode mitigations do not apply.

Attack Scenario

This is for defensive understanding only. No exploit code is provided.

  1. Attacker gains low-privileged access or valid credentials
  2. Attacker sends crafted HTTP requests to a listening HTTP.sys endpoint
  3. HTTP.sys incorrectly maps the request to a privileged request queue
  4. Kernel executes actions as SYSTEM
  5. Attacker escalates privileges and takes control of the host

This can be chained with:

  • Web service access
  • Credential stuffing
  • Lateral movement techniques

Exploitation Status

  • Public exploit code: No public weaponized exploit
  • Proof-of-concept: Private / research-level only
  • Exploitability: High once a working PoC exists
  • Threat Actor Interest: High (kernel EoP, remotely reachable)

Detection Strategy (Technical)

1. Windows Event Log Indicators

Monitor for unexpected privilege escalation patterns tied to HTTP activity.

Relevant Logs

  • Security Event ID 4672 (Special privileges assigned)
  • Security Event ID 4624 (Logon Type 3 / Network)
  • System logs referencing http.sys

Suspicious Pattern

Network logon → HTTP activity → SYSTEM privileges assigned

2. Sysmon Detection Rules

Rule: Suspicious SYSTEM Process Spawned by HTTP.sys

<EventFiltering>
  <ProcessCreate onmatch="include">
    <ParentImage condition="contains">http.sys</ParentImage>
    <IntegrityLevel condition="is">System</IntegrityLevel>
  </ProcessCreate>
</EventFiltering>

Any SYSTEM-level process indirectly linked to HTTP.sys activity is highly abnormal.

3. Network-Based Detection

Look for:

  • Repeated malformed HTTP requests
  • Abnormal headers or methods
  • High-frequency requests to non-standard HTTP endpoints
  • Requests targeting URL namespaces not exposed publicly

Example Suspicious Behavior

  • Requests sent directly to kernel-handled endpoints
  • Traffic to HTTP.sys without a known IIS site
  • HTTP activity on unexpected ports

4. Endpoint Behavior Indicators

Flag systems where:

  • HTTP.sys is active but IIS is not installed
  • SYSTEM-level processes appear without a known service start
  • Sudden permission changes occur after HTTP requests

Mitigation & Hardening

Immediate Actions

  • Apply Microsoft’s official security update
  • Restrict inbound HTTP access where not required
  • Disable unused HTTP listeners
  • Enforce least-privilege service accounts

Patch / Upgrade Link (Official)

🔗 Microsoft Security Update Guide
https://msrc.microsoft.com/update-guide

(Search for CVE-2026-20929)

Verification After Patching

After applying the patch:

  1. Confirm updated HTTP.sys version
  2. Restart the system (required)
  3. Validate that:
    • HTTP services still function
    • No unexpected SYSTEM processes appear
    • Event logs show normal request handling

Risk Assessment

FactorRisk
Remote ExploitableYes
Kernel-Level ImpactYes
Privilege EscalationSYSTEM
Exploit ChainingVery Likely
Enterprise RiskCritical

Final Notes

  • This vulnerability is extremely valuable to attackers
  • Kernel-level EoP flaws are often chained with phishing or web access
  • Detection must rely on behavior, not signatures
  • Patch deployment should be high priority

CyberDefender