A researcher has released a proof-of-concept (PoC) exploit for CVE-2021-31166, a use-after-free, highly critical vulnerability in the HTTP protocol stack (http.sys) that could lead to wormable remote code execution (RCE).
Microsoft discovered the flaw internally, releasing a patch in its May 11 Patch Tuesday update. This was the most severe bug in that batch: an http.sys issue that requires neither user authentication nor user interaction to exploit. An exploit would allow RCE with kernel privileges or a denial-of-service (DoS) attack.
Read more…
Source: ThreatPost