CVE-2022-21907: what protections with Stormshield solutions?

The year starts strong with a critical vulnerability rated 9.8 (CVSS 3.1) discovered on Microsoft Windows 11 and Server 2022 systems as well as Windows Server 2019 and Windows 10 version 1809 (and later in some configurations). Here's an update on a critical vulnerability, with the Stormshield Customer Security Lab team.


Context of the attack

This vulnerability concerns the HTTP stack (http.sys) used in listening to process HTTP requests on IIS (Internet Information Services) servers. It is patched on the last “Patch Tuesday” of January 2022. In practice, sending a specifically crafted packet allows remote code execution (RCE) by unauthenticated users. The level of complexity is low and requires little or no user interaction.

There does not seem to be a Proof Of Concept available in the wild, and this vulnerability is, for the moment, not widely exploited.


Technical details of the attack

Technical details are currently under Microsoft embargo, we will provide an update when we are cleared to do so.

Windows 11 and server 2022 are vulnerable by default. This vulnerability is also present on Windows 10 v1809 and Server 2019 systems with "HTTP Trailer Support" enabled. This can be checked, and disabled, via the following registry key:


Set to 0, this function is disabled and the vulnerability is no longer exploitable.


Means of protection provided by Stormshield

The vulnerability is covered by the Stormshield Network Security product (SNS). The SES solution is not suitable to protect against the exploitation of this vulnerability.

Stormshield Network Security

The following existing protections built into the static "http" plugin covers the vulnerability:

  • http:53 Invalid HTTP Protocol,
  • http:55 Possible buffer overflow in HTTP request/reply


In order to be effective, it is necessary to keep the "Other fields" value of the "maximum size of http header" menu below 1900 bytes (by default set to 1024):

Fig. 1: configuration Other Fields SNS

In the case of an attack on a web server, the protection will be applied to the HTTP flow. For the HTTPS flow, an SSL decryption solution should be positioned before the IPS analysis performed by the SNS.

Confidence index of the protection

Confidence index of no false positives


Stormshield Endpoint Security

SES does not cover against exploitation of this vulnerability.



  • Update your Windows 11 et Server 2022 systems with January “patch Tuesday”
  • On Windows Server 2019, Windows 10 version 1809 and above, change this registry key value: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\"EnableTrailerSupport"  to 0.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Our Threat Intelligence team has two key missions: to study cyber threats in order to understand them, and to continuously improve the protection offered by Stormshield products. The goal in each case is to contribute to the cybersecurity community's effort to address cyber threats.
About the author
Sébastien Viou Cybersecurity Product Director & Cyber-Evangelist, Stormshield

Fan of fighting sports (ju-jitsu, kick-boxing, ice hockey), Sébastien also has a passion for mechanics. The real thing, the one where all the parts are dismantled and reassembled until all the mechanisms are understood. An obvious parallel with his missions at Stormshield, where he is in charge of shedding light on developments, innovations and trends in the cyber-threats.