Skip to content
/ cve-2022-21907-http.sys Public

An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications

iveresk/cve-2022-21907-http.sys

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

cve-2022-21907-1veresk.sh

cve-2022-21907-1veresk.sh

 
 

input.txt

input.txt

 
 

shodan-grep.sh

shodan-grep.sh

 
 

Repository files navigation

cve-2022-21907-http.sys by 1vere$k

CVE-2022-21907 - Double Free in http.sys driver.

Summary

An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.

Vulnerable systems

Windows Server 2019 and Windows 10 version 1809:

  • Not vulnerable by default. Unless you have set the HTTP Trailer Support.
  • Windows 10 version 2004 (build 19041.450): Vulnerable

Contact

You are free to contact me via Keybase for any details.

About

An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages