What is Windows HTTP Protocol Stack (http.sys)?
The Windows HTTP Protocol Stack (http.sys) is a kernel-mode driver that processes all HTTP/1.1 and HTTP/2 traffic on Windows systems. Rather than each web application handling raw TCP connections, http.sys operates at the kernel level and dispatches HTTP requests to IIS, WinRM, WCF, and other HTTP-based services. Because http.sys runs in kernel mode with SYSTEM privileges, vulnerabilities in this component are especially severe — a successful exploit achieves full SYSTEM-level code execution directly from a network request, without requiring any user interaction or authentication.
Overview
CVE-2021-31166 is a use-after-free (CWE-416) vulnerability in the Windows HTTP Protocol Stack (http.sys) affecting the processing of HTTP chunked transfer encoding headers. An unauthenticated attacker can send a specially crafted HTTP request to trigger the UAF condition, potentially achieving code execution in the Windows kernel context (SYSTEM privileges). Microsoft rated this vulnerability as wormable — meaning a successful exploit could self-propagate from system to system without user interaction, similar in behavior potential to MS17-010 (EternalBlue). The vulnerability affects only Windows 10 version 2004 and 20H2, and Windows Server version 20H2. Despite the wormability concern, CISA did not add this to KEV until April 2022 — nearly one year after the patch.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 10 version 2004 | Yes | KB5003173 |
| Windows 10 version 20H2 | Yes | KB5003173 |
| Windows Server version 20H2 (Server Core) | Yes | KB5003173 |
| Windows 10 version 1909 and earlier | Not affected | N/A |
| Windows Server 2019 and earlier | Not affected | N/A |
Technical Details
The vulnerability resides in http.sys's handling of HTTP chunked transfer encoding — a mechanism that allows HTTP responses and requests to be sent in variable-sized pieces. The use-after-free condition occurs when chunked encoding headers are processed:
- Root cause: Use-after-free (CWE-416) in
http.sys— during chunked transfer encoding processing,http.sysfrees a memory object while a reference to it remains accessible. A subsequent access to the freed memory creates the UAF condition - Attack vector: A single crafted HTTP request to any service using
http.sys(including IIS, WinRM, or the Windows Remote Management service) triggers the vulnerability - No authentication required: The malformed request is processed before any authentication is evaluated
- Kernel mode execution:
http.sysruns in kernel mode — successful exploitation achieves NT AUTHORITY\SYSTEM kernel-level code execution - Wormability: The exploit requires no user interaction and can be triggered remotely, making it suitable for a self-propagating worm that scans for and infects vulnerable systems automatically
- Scope limitation: Only Windows 10 v2004 and 20H2 are affected. Earlier Windows 10 versions and Windows Server 2019 use an older
http.syscode path that is not vulnerable
Discovery
Reported to Microsoft by an external security researcher. Microsoft's internal analysis determined the wormability classification and assigned the patch to May 2021 Patch Tuesday. Security researchers published proof-of-concept code demonstrating a crash (DoS) within days of the patch release.
Exploitation Context
Despite the alarming wormability rating, CVE-2021-31166 did not result in a major worm outbreak comparable to EternalBlue — likely because the affected versions (Windows 10 2004/20H2) represent a smaller portion of the enterprise install base than the Windows Server versions affected by EternalBlue, and because WinRM/HTTP services are more often firewalled than SMB. CISA's April 2022 KEV addition reflects confirmed in-the-wild exploitation, though on a more limited scale than initially feared. The 11-month gap between patch and KEV addition suggests exploitation remained targeted rather than widespread. Organizations running Windows Server 20H2 (Server Core) with internet-facing WinRM or IIS represent the primary risk.
Remediation
- Apply KB5003173 (Windows 10 version 2004/20H2 and Windows Server 20H2) from May 2021 Patch Tuesday immediately
- Verify affected Windows versions via
winver— the patch only applies to Windows 10 v2004 and 20H2; earlier versions are not vulnerable - If immediate patching is not possible, disable HTTP access to WinRM and restrict IIS internet exposure until patching is complete
- Ensure Windows Update is configured to apply security patches promptly — kernel-level http.sys vulnerabilities represent the highest priority patch category
- Review Windows Event Logs for unusual HTTP requests or crashes in
http.sys-based services that may indicate prior exploitation attempts - For internet-facing Windows Server 20H2 deployments: prioritize this patch given the SYSTEM-level exploit potential
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-31166 |
| Vendor / Product | Microsoft — HTTP Protocol Stack |
| NVD Published | 2021-05-11 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-416 find similar ↗ |
| CISA KEV Added | 2022-04-06 |
| CISA KEV Deadline | 2022-04-27 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-05-11 | Microsoft patches CVE-2021-31166 in May 2021 Patch Tuesday; Microsoft rates it as wormable |
| 2021-05-16 | Public proof-of-concept published demonstrating crash/DoS; later extended to RCE |
| 2021-05-11 | CVE published |
| 2022-04-06 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-04-27 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2021-31166 | Vendor Advisory |
| NVD — CVE-2021-31166 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |