CVE-2022-21907

HTTP Protocol Stack, uninitialized tracker struct via crafted HTTP headers allows RCE

Summary

Field	Value
Driver	`http.sys`
Vulnerability Class	String Handling
Vulnerable Build	`10.0.22621.1` (RTM)
Fixed Build	`10.0.22621.382` (KB5019509)
Exploited ITW	No

The Story

Microsoft classified CVE-2022-21907 as wormable, putting it in the same category as EternalBlue and BlueKeep. The vulnerability sits in http.sys, the kernel-mode HTTP protocol stack driver used by IIS, WinRM, WSDAPI, and other Windows HTTP services. Any Windows system running a service backed by http.sys (including default IIS configurations and WinRM) is reachable from the network with no authentication and no user interaction required.

The bug is deceptively simple in concept: an uninitialized structure in the HTTP trailer header processing path. But the implications of uninitialized kernel memory in a network-facing driver are severe.

Affected Functions

UlpAllocateFastTracker
UlAllocateFastTracker

What Happens When the Trailer Arrives

When an HTTP request arrives with Transfer-Encoding: chunked and includes trailing headers after the final chunk, http.sys invokes the fast-tracker allocation path (UlpAllocateFastTracker / UlAllocateFastTracker) to create a tracking structure for processing the trailers. The allocation routine does not fully initialize all fields of this structure. Certain pointer and length fields retain stale data from previous pool allocations that occupied the same memory region.

When http.sys processes the tracker and treats these uninitialized fields as valid pointers or buffer lengths, it operates on stale data from prior pool usage. Depending on those leftover values, this results in use-after-free dereferences or out-of-bounds writes in kernel pool memory. All of this is triggered remotely by sending a single crafted HTTP request with specific header combinations to any http.sys-backed service.

AutoPiff categorizes this as string_handling with detection rules:

safe_string_function_replacement
unicode_string_length_validation_added

The Path to Remote Code Execution

The uninitialized tracker fields provide a remote kernel memory corruption primitive, but exploiting it requires controlling what data occupies the memory region before the tracker allocation. This is where pool grooming comes in.

The attack proceeds in two phases. First, a series of HTTP requests shapes the kernel pool layout, allocating and freeing pool objects to plant specific pointer values and lengths in the region the tracker structure will later occupy. Then, the triggering request with crafted chunked-encoding trailers causes http.sys to allocate the tracker at the groomed location. The driver follows the stale pointer values as if they were valid, performing reads and writes at influenced addresses. With careful grooming, this yields a kernel read/write primitive sufficient for code execution.

The wormable classification means the exploit can propagate across networks without user interaction: scan for open HTTP ports, send the groomed requests, trigger the tracker allocation, achieve kernel code execution, and repeat on the next host.

Patch Analysis

The patch addresses the vulnerability at multiple levels. It zero-initializes the tracker structure at allocation time, preventing stale pool data from persisting into fields used during trailer processing. It validates string length fields derived from HTTP header values before they are used in memory operations. And it replaces unsafe string handling functions in the trailer parsing path with bounded alternatives (RtlStringCb* variants).

AutoPiff detects this patch pattern through the safe_string_function_replacement rule (which flags substitution of unsafe string routines with bounded alternatives) and the unicode_string_length_validation_added rule (which identifies newly added length checks on UNICODE_STRING structures before they are consumed by copy or comparison operations).

Detection

YARA Rule

rule CVE_2022_21907_HTTP {
    meta:
        description = "Detects vulnerable version of http.sys (pre-patch)"
        cve = "CVE-2022-21907"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "http.sys" wide ascii nocase
        $vuln_build = "10.0.22621.1" wide ascii
        $func_alloc_tracker = "UlpAllocateFastTracker" ascii
        $func_alloc_tracker2 = "UlAllocateFastTracker" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and ($func_alloc_tracker or $func_alloc_tracker2)
}

ETW Indicators

Provider	Event / Signal	Relevance
Microsoft-Windows-HttpService	Event ID 1 (Request received)	HTTP requests with `Transfer-Encoding: chunked` and trailing headers that trigger the vulnerable fast-tracker allocation path
Microsoft-Windows-HttpService	Event ID 4 (Send response)	Abnormal response patterns or connection resets following trailer header processing failures
Microsoft-Windows-HttpService	Event ID 23 (Parse error)	Malformed chunked-encoding requests that fail parsing after the uninitialized tracker has already been used
Microsoft-Windows-Kernel-Process	Process creation / crash events	Kernel bugcheck (BSOD) or unexpected worker process termination following exploitation attempts
Microsoft-Windows-Security-Auditing	Event ID 5156 (Network connection allowed)	Inbound connections to HTTP.sys-backed ports (80, 443, 5985) from external sources preceding the exploit trigger

Behavioral Indicators

Inbound HTTP requests with Transfer-Encoding: chunked that include abnormal or oversized trailing headers after the final zero-length chunk, targeting IIS, WinRM, or WSDAPI endpoints
Pool grooming phase: a burst of sized HTTP requests to fill and free pool allocations, planting controlled data where the uninitialized tracker structure will be allocated
Trigger request causes UlpAllocateFastTracker to allocate a tracker with stale pointer and length fields, leading to use-after-free dereferences or out-of-bounds writes
Kernel bugcheck (BSOD) on failed exploitation attempts on internet-facing Windows servers running http.sys-backed services
Wormable propagation pattern: multiple hosts on the same network segment experiencing identical HTTP-triggered kernel crashes within a short time window

Broader Significance

CVE-2022-21907 is one of the rare wormable kernel vulnerabilities in modern Windows. The combination of remote reachability (any http.sys-backed service), no authentication requirement, and kernel-mode execution makes it a potential mass-exploitation vector. While no confirmed in-the-wild exploitation was observed, the wormable classification prompted emergency patching across enterprise environments. For researchers, this CVE demonstrates that uninitialized memory in network-facing kernel code remains one of the most dangerous vulnerability classes, since the attacker can influence the stale data through pool grooming without any local access.