CVE-2022-21907 - Double Free in http.sys driver.
An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.
Windows Server 2019 and Windows 10 version 1809:
- Not vulnerable by default. Unless you have set the HTTP Trailer Support.
- Windows 10 version 2004 (build 19041.450): Vulnerable
You are free to contact me via Keybase for any details.