CRITICALCVSS9.8

|CVE-2022-21907|Auth: none|Reboot: required|Manual only

KB5009557: Windows Server 2019 Security Update (January 2022)

A single crafted HTTP request can give an attacker kernel-level code execution on any Windows Server with HTTP Trailer Support enabled.

Published Jan 11, 2022 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach any HTTP endpoint served by http.sys on a vulnerable host can send a single crafted request and execute code in the kernel — higher than SYSTEM. Microsoft's "wormable" classification means a compromised host can target other vulnerable hosts without human help.

How the attack works

The HTTP Protocol Stack (http.sys) is the kernel-mode driver that handles incoming HTTP requests for IIS, AD FS, WSUS, WinRM, and any other Windows service that uses Windows's built-in HTTP listener. An uninitialized-memory bug in how http.sys handles HTTP Trailers — specifically inside the UlpAllocateFastTracker functions — lets a crafted request execute code in kernel context. HTTP Trailer Support is the default on Windows Server 2022, Windows 11, and Windows 10 21H2+. On older systems it is off by default and only reachable if EnableTrailerSupport is set.

Am I affected?Quick check

Probably yes if any of these apply:

●Windows Server 2022 (HTTP Trailer Support on by default)

●Windows Server 2019 and earlier if HTTP Trailer Support was explicitly enabled

●IIS, AD FS, WSUS, WinRM and any http.sys-based service

Affected OS versions

Windows Server 2019

Real-world incidentsWhat we've seen

An internet-facing AD FS server runs on Windows Server 2022 with HTTP Trailer Support on by default. An attacker sends one crafted HTTP request, the kernel runs the attacker's code, and the attacker has kernel-level code on a server that holds the keys to federation for the entire organisation. HTTP.sys wormable RCEs are the modern equivalent of MS17-010 / EternalBlue — a network-edge bug in a service nobody can sensibly block.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5009557

Manual remediation steps

Check whether HTTP Trailer Support is enabled

Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters' -Name EnableTrailerSupport -ErrorAction SilentlyContinue

On Server 2022 / Windows 11 / 10 21H2+ this is on by default and you are exposed. On older Server 2019 builds it is off unless explicitly enabled.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5009557 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5009557

Download the MSU for Windows Server 2019 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5009557
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5009557 /quiet /norestart

Notes

This entry covers Windows Server 2019 specifically (KB5009557). Other Windows Server versions have their own KB for CVE-2022-21907.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907 and NVD https://nvd.nist.gov/vuln/detail/CVE-2022-21907.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2022-21907 ↗ MSRC Advisory ↗ NVD ↗ KBKB5009557