Search
On this page ▾
CVE-2015-1635 — Microsoft HTTP.sys Remote Code Execution Vulnerability

CVE-2015-1635

Windows HTTP.sys (MS15-034) — Integer Overflow in Range Header Parsing Enables Kernel RCE on IIS Servers; Public PoC Caused BSoDs; CVSS 9.8
🔥 CVSS 3.1  9.8 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What Is HTTP.sys?

HTTP.sys is the Windows kernel-mode HTTP request handler — a driver (http.sys) that sits at the heart of Windows' web server stack. Rather than handling HTTP in user space, Windows routes all HTTP/HTTPS traffic through HTTP.sys at the kernel level for performance reasons. IIS (Internet Information Services) and other Windows web server technologies (WCF, ASP.NET Web API self-hosted servers) all use HTTP.sys as their underlying request processing engine.

Because HTTP.sys runs in the Windows kernel, a vulnerability in HTTP.sys has direct kernel-level impact: successful exploitation can achieve code execution in the kernel's context, with no privilege escalation required — the attacker goes directly to the highest possible privilege level.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on February 10, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2015-1635 (also known as MS15-034 or "HttpOys") is a critical remote code execution vulnerability in Windows HTTP.sys caused by improper validation of the HTTP Range header, leading to an integer overflow. An unauthenticated remote attacker can send a specially crafted HTTP request with a malicious Range header to any Windows server running IIS and achieve kernel-level code execution — or, with a simpler payload, trigger an immediate Blue Screen of Death (BSoD). Public proof-of-concept code that caused BSoDs was released on the same day as the patch (April 14, 2015), triggering urgent patching across internet-exposed Windows servers. Patched in MS15-034.

Affected Versions

Windows Status
Windows 7 / Server 2008 R2 Vulnerable
Windows 8 / Server 2012 Vulnerable
Windows 8.1 / Server 2012 R2 Vulnerable
Windows Vista / Server 2008 Vulnerable

Systems fully patched with MS15-034 are protected.

Technical Details

Root Cause: Integer Overflow in Range Header Processing

The HTTP Range header is a standard HTTP feature that allows a client to request a specific portion of a resource (e.g., Range: bytes=0-999). HTTP.sys processes Range header values to determine which bytes of the response body to return.

CVE-2015-1635 involves an integer overflow when HTTP.sys performs arithmetic on the range values:

  • The attacker sends a Range header with a very large end value (close to 0xFFFFFFFFFFFFFFFF)
  • HTTP.sys calculates the range length: end - start + 1
  • The arithmetic overflows a 64-bit integer, producing a very small or negative result
  • HTTP.sys allocates a kernel buffer based on the overflowed size
  • Subsequent operations write the actual (large) range data into the undersized buffer, triggering a kernel heap overflow

Impact: BSoD or RCE

The overflow can produce two outcomes depending on the crafted values:

  • BSoD/DoS: Specific Range values reliably crash Windows with a Blue Screen of Death — this was the first effect demonstrated publicly with immediate PoC code
  • RCE: With more precise heap manipulation, the overflow can be leveraged for arbitrary kernel code execution

The BSoD effect was alarming — any internet-facing IIS server was a single HTTP request away from a complete OS crash, with no authentication required. Security teams scanned for and patched this vulnerability at emergency priority.

Exploit Trigger

GET / HTTP/1.1
Host: victim.example.com
Range: bytes=0-18446744073709551615

This single request was sufficient to crash unpatched Windows servers.

Attack Characteristics

Attribute Detail
Attack Vector Network — single HTTP request
Authentication None required
IIS Required Yes — HTTP.sys serves IIS requests
Immediate PoC BSoD trigger available day of patch
Kernel Impact Kernel-level crash or RCE

Discovery

Reported to Microsoft and patched in MS15-034 (April 14, 2015, April Patch Tuesday). The DoS proof-of-concept was publicly released on the same day as the patch by multiple security researchers, including members of the security community who independently identified the vulnerability.

Exploitation Context

  • Same-day PoC: The availability of a reliable DoS PoC on Patch Tuesday April 14, 2015 drove immediate large-scale scanning and exploitation — within hours of the patch release, attackers were crashing unpatched IIS servers across the internet
  • Internet-facing IIS: Windows Server with IIS is the second most common web server after Apache/nginx; hundreds of thousands of internet-facing servers were potentially vulnerable
  • Kernel exploit value: RCE in HTTP.sys gives kernel-level access to the host without any privilege escalation step — among the most severe possible web server vulnerability classes
  • Rapid patch adoption: The visible DoS effect (server crash visible to operators) drove faster-than-usual patching; many organizations emergency-patched outside normal patch cycles
  • CISA KEV (2022): Added February 2022, confirming active exploitation of unpatched Windows servers years after the patch was available

Remediation

CISA BOD 22-01 Deadline: August 10, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Apply MS15-034 (April 2015). This is the definitive fix for CVE-2015-1635. All Windows versions with current patch levels include this fix.

  2. Verify patch status — run systeminfo and check for KB3042553 (MS15-034) in the installed hotfixes list.

  3. Workaround (if immediate patching is impossible): Disable the IIS Kernel Cache:

    netsh http add iplisten ipaddress=::

    This disables the kernel-mode cache and prevents exploitation, but impacts performance.

  4. Maintain current Windows patching — organizations running current Windows Update schedules are protected. Any system more than one April Patch Tuesday behind is exposed.

  5. Web Application Firewall (WAF): A WAF can filter malformed Range headers as a defense-in-depth measure, but patching HTTP.sys is the only complete fix.

Key Details

PropertyValue
CVE ID CVE-2015-1635
Vendor / Product Microsoft — HTTP.sys
NVD Published2015-04-14
NVD Last Modified2025-10-22
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-94 — Improper Control of Generation of Code ('Code Injection') find similar ↗
CISA KEV Added2022-02-10
CISA KEV Deadline2022-08-10
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-08-10. Apply updates per vendor instructions.

Timeline

DateEvent
2015-04-14Microsoft Security Bulletin MS15-034 released; CVE-2015-1635 patched
2015-04-14CVE-2015-1635 published by NVD; public PoC (BSoD trigger) released same day
2022-02-10Added to CISA Known Exploited Vulnerabilities catalog
2022-08-10CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2015-1635 Vulnerability Database
CISA KEV Catalog Entry US Government
Microsoft Security Bulletin MS15-034 — Vulnerability in HTTP.sys Could Allow Remote Code Execution Vendor Advisory

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML