Threat Response – Vulnerability in Windows HTTP Stack (CVE-2021-31166)


On May 11, 2021, Microsoft disclosed vulnerabilities in, among others, the HTTP protocol stack (CVE-2021-31166) [1]. On May 16, a public exploit was made available for the vulnerability in the HTTP stack. The impact of exploiting this vulnerability is of significance that we inform you via this message about what the threat entails and how it can be mitigated.


Microsoft has published details about a vulnerability in the HTTP Stack on Windows systems running an HTTP server. The vulnerability is registered as CVE-2021-31166. In specific cases, successful exploitation of the vulnerability can lead to arbitrary code execution on the system.

On May 16, a Proof of Concept was made public for this vulnerability. The vulnerability is exploited to perform a denial of service (DoS) attack, which leads to a blue screen of death (BSOD) on vulnerable systems.

The following Windows versions are vulnerable to CVE-2021-31166:

  • Windows Server, version 20H2 (Server Core Installation)
  • Windows 10 Version 20H2 for ARM64-based Systems
  • Windows 10 Version 20H2 for 32-bit Systems
  • Windows 10 Version 20H2 for x64-based Systems
  • Windows Server, version 2004 (Server Core installation)
  • Windows 10 Version 2004 for x64-based Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for 32-bit Systems


At the time of writing, only a public exploit that leads to a denial of service attack is known. In theory, the vulnerability can also be used to perform remote code execution attacks on unpatched systems. The exploit can also be made wormable, which means that it can spread quickly across vulnerable systems.

Therefore, Northwave assesses the impact of the vulnerability as high.


Because a public exploit is available, and the exploit can in theory also be made wormable, Northwave estimates the risk of an attack as high.


Microsoft has released patches to mitigate the vulnerability as part of the May 2021 security updates. Northwave strongly recommends installing these as soon as possible. For more information about the updates, please refer to the Microsoft Security Advisory [1].

What will Northwave do?

Northwave is investigating the possibilities of monitoring the exploitation of this vulnerability and is keeping an eye on further developments. If new critical information about this threat arises, we will reach out to you. If you need additional information, you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.




Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.