CVE-2026-20929 – This vulnerability in Windows HTTP.sys allows a... (How to Fix)

Q: What is the severity of CVE-2026-20929?

CVE-2026-20929 has a CVSS score of 7.5 (HIGH). This vulnerability in Windows HTTP.sys allows authenticated attackers to escalate privileges over a network connection. It affects Windows systems running vulnerable versions of the HTTP.sys driver. Attackers could gain elevated system privileges from a lower-privileged authenticated position.

📋 TL;DR

This vulnerability in Windows HTTP.sys allows authenticated attackers to escalate privileges over a network connection. It affects Windows systems running vulnerable versions of the HTTP.sys driver. Attackers could gain elevated system privileges from a lower-privileged authenticated position.

💻 Affected Systems

Products:

Windows HTTP.sys driver

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022 - specific vulnerable versions to be confirmed via Microsoft advisory

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems using HTTP.sys for web services (IIS, HTTP API applications) are vulnerable. The vulnerability requires an authenticated attacker.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the affected Windows server, data exfiltration, and lateral movement across the network.

🟠

Likely Case

Privilege escalation to SYSTEM or administrator level, allowing installation of malware, credential theft, and persistence mechanisms on the compromised system.

🟢

If Mitigated

Limited impact with proper network segmentation and least privilege access controls, potentially containing the attack to a single system segment.

🌐 Internet-Facing: HIGH - HTTP.sys is commonly exposed on internet-facing Windows web servers, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal systems running vulnerable HTTP.sys could be exploited by compromised internal accounts or attackers who have breached the perimeter.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and network connectivity to vulnerable HTTP.sys service. Exploitation details not publicly available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20929

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart affected systems to complete patch installation.

🔧 Temporary Workarounds

Disable HTTP.sys if not required

windows

Stop and disable the HTTP service if not needed for system functionality

sc stop http
sc config http start= disabled

Network segmentation and firewall rules

all

Restrict network access to HTTP.sys ports (typically 80/443) to only trusted sources

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems running HTTP.sys
Enforce least privilege access controls and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for missing security patches related to HTTP.sys or run: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify patch installation via: wmic qfe list | findstr KB[number] (replace with actual KB from Microsoft advisory)

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 (process creation) showing unexpected privilege escalation
HTTP.sys error logs showing access violations
Event ID 4624 (logon) followed by privilege escalation patterns

Network Indicators:

Unusual HTTP traffic patterns to HTTP.sys ports from authenticated users
Network connections followed by privilege escalation activities

SIEM Query:

source="windows_security" event_id=4688 AND (process_name="*http*" OR parent_process_name="*http*") AND new_integrity_level="System"

📊 Metadata

CVE ID: CVE-2026-20929

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

EPSS Score: 0.08% exploit probability (22.5th percentile)

Published: January 13, 2026

Last Updated: January 16, 2026

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20929 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20929, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable HTTP.sys if not required

Network segmentation and firewall rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities