Critical RCE Vulnerability in Windows HTTP Stack

Microsoft has released security updates to fix a vulnerability tracked as CVE-2022-21907 with a CVSS v3.1 severity rating of 9.8 (Critical), in http.sys, which affects a number of Windows platforms. The vulnerability was addressed in Microsoft's January 2022 Security Update and the subsequent out-of-band update. CVE-2022-21907 could be exploited to allow an unauthenticated remote attacker to gain full control of a system. 

CVE-2022-21907 is a vulnerability in http.sys, the HTTP Protocol Stack component in Windows for processing HTTP requests. It is used by a range of services, most notably Internet Information Services (IIS) for Windows Server. The vulnerability is exposed when the Trailer feature of http.sys is enabled, as it is by default in a number of Windows platforms.  

An unauthenticated remote attacker could exploit this vulnerability by sending a specially crafted packet to a vulnerable server that uses http.sys to process HTTP requests. Successful exploitation of CVE-2022-21907 could allow a remote attacker to take full control of the system. Microsoft assesses the vulnerability as being wormable and advises patching as a matter of urgency. At the time of publication, there are no reports of exploitation in the wild; however, unverified Proof-of-Concept (PoC) code has been made publicly available.