CVE-2026-33096
Out-of-Bounds Read in Windows HTTP.sys Causes Remote DoS
Publication date: 2026-04-14
Last updated on: 2026-04-17
Assigner: Microsoft Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | windows_11_23h2 | to 10.0.22631.6936 (exc) |
| microsoft | windows_11_23h2 | to 10.0.22631.6936 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_24h2 | to 10.0.26100.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_25h2 | to 10.0.26200.8246 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_11_26h1 | to 10.0.28000.1836 (exc) |
| microsoft | windows_server_2022 | to 10.0.20348.5020 (exc) |
| microsoft | windows_server_2022_23h2 | to 10.0.25398.2274 (exc) |
| microsoft | windows_server_2025 | to 10.0.26100.32690 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The vulnerability allows an unauthorized attacker to cause a denial of service over a network via an out-of-bounds read in Windows HTTP.sys.
To mitigate this vulnerability, it is recommended to apply the security updates provided by Microsoft as soon as possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthorized attacker to cause a denial of service over a network by exploiting an out-of-bounds read in Windows HTTP.sys.
While this can impact availability, the provided information does not specify any direct effects on confidentiality or integrity of data, which are critical for compliance with standards like GDPR or HIPAA.
Therefore, based on the available data, this vulnerability primarily affects service availability but does not explicitly indicate a compliance impact related to data protection regulations.
Can you explain this vulnerability to me?
This vulnerability is an out-of-bounds read in the Windows HTTP.sys component. It allows an unauthorized attacker to cause a denial of service (DoS) over a network by exploiting this flaw.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can cause a denial of service condition remotely without any privileges or user interaction. This means your system or service relying on Windows HTTP.sys could become unavailable or unresponsive due to this attack.