{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/http.sys/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-21250"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows 11","Windows Server 2022"],"_cs_severities":["high"],"_cs_tags":["local-privilege-escalation","windows","cve-2026-21250","http.sys"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eA local privilege escalation vulnerability, CVE-2026-21250, affects Windows 11 24H2 (10.0.26100.7780), Windows 11 25H2 (10.0.26200.7780), and Windows Server 2022 23H2 (10.0.25398.2148). The vulnerability lies in the HTTP.sys driver and is triggered by sending a specially crafted HTTP request to a local HTTP service. The vulnerability arises because the \u003ccode\u003estrcat()\u003c/code\u003e function truncates binary malicious pointers, causing incomplete delivery of the untrusted pointer to the HTTP.sys driver, potentially leading to a Blue Screen of Death (BSOD) or random memory access errors. Successful exploitation allows a local attacker to gain elevated privileges on the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains local access to a vulnerable Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker starts the HTTP service (\u003ccode\u003enet start http\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request containing the \u003ccode\u003eX-Trigger-Ptr\u003c/code\u003e header with a specially crafted payload.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious HTTP request to the local HTTP service (127.0.0.1:80).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003estrcat()\u003c/code\u003e function within the HTTP.sys driver truncates the malicious pointer due to the presence of a null byte (0x00).\u003c/li\u003e\n\u003cli\u003eThe truncated, untrusted pointer is passed to the HTTP.sys driver.\u003c/li\u003e\n\u003cli\u003eThe HTTP.sys driver attempts to dereference the truncated pointer.\u003c/li\u003e\n\u003cli\u003eThis leads to a Blue Screen of Death (BSOD) or random memory access errors, potentially leading to privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21250 allows a local attacker to elevate their privileges on the targeted Windows system. While the provided exploit PoC focuses on triggering a BSOD, in a real-world scenario, the attacker could potentially leverage this vulnerability to gain SYSTEM privileges, leading to complete control over the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious HTTP requests with the \u003ccode\u003eX-Trigger-Ptr\u003c/code\u003e header using the Sigma rule provided below, specifically looking for truncated or malformed pointers (Sigma rule - \u0026ldquo;Detect Malicious HTTP Request to Trigger CVE-2026-21250\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eApply available patches from Microsoft to address the underlying vulnerability in HTTP.sys (CVE-2026-21250).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual traffic patterns associated with the exploit, focusing on port 80 and HTTP GET requests (Sigma rule - \u0026ldquo;Detect HTTP Request with Malicious Pointer Payload\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eConsider disabling the HTTP service if it is not required, reducing the attack surface.\u003c/li\u003e\n\u003cli\u003eEnable enhanced logging for the HTTP service to capture detailed information about incoming requests and potential exploitation attempts (Log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-06T16:12:00Z","date_published":"2024-05-06T16:12:00Z","id":"/briefs/2024-05-windows-lpe/","summary":"A local privilege escalation vulnerability exists in Windows 11 24H2, Windows 11 25H2, and Windows Server 2022 23H2 due to improper handling of untrusted pointers in HTTP.sys via strcat truncation.","title":"Windows HTTP.sys Local Privilege Escalation Vulnerability (CVE-2026-21250)","url":"https://feed.craftedsignal.io/briefs/2024-05-windows-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed — Http.sys","version":"https://jsonfeed.org/version/1.1"}