CVE-2026-33096
Published: 14 April 2026
Summary
CVE-2026-33096 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft Windows 11 23H2. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires applying Microsoft patches to directly correct the out-of-bounds read vulnerability in the HTTP.sys kernel-mode driver.
Denial-of-service protection mechanisms such as rate limiting and traffic shaping prevent the high-impact availability disruption from specially crafted HTTP requests.
Boundary protection with web application firewalls or intrusion prevention systems blocks malformed HTTP requests targeting HTTP.sys over the network before they reach the vulnerable driver.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in public-facing HTTP.sys enables remote unauthenticated DoS via crafted HTTP requests that crash the driver/service, directly matching application/system exploitation for endpoint denial of service.
NVD Description
Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to deny service over a network.
Deeper analysisAI
CVE-2026-33096 is an out-of-bounds read vulnerability (CWE-125) in the Windows HTTP.sys kernel-mode driver, which handles HTTP requests for IIS and other web services on Windows systems. Published on 2026-04-14T18:17:31.593, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption with network accessibility and low attack complexity.
An unauthorized remote attacker can exploit this vulnerability by sending specially crafted HTTP requests over the network to a vulnerable Windows system. No privileges, user interaction, or special conditions are required, enabling unauthenticated denial-of-service attacks that trigger the out-of-bounds read, potentially crashing the HTTP.sys driver or causing high resource consumption that renders affected services unavailable.
Microsoft's Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33096 details available patches and recommended mitigations for this vulnerability.
Details
- CWE(s)