Security Advisory 2023-020

Release Date:

Remote Code Execution vulnerability in Windows HTTP protocol stack



  • 15/03/2023 --- v1.0 -- Initial publication


On March 14, 2023, Microsoft released a security fix for a vulnerability (CVE-2023-23392) in the HTTP/3 protocol stack of Microsoft Windows Server 2022 and Windows 11 systems [1]. This vulnerability allows a remote attacker to execute arbitrary code. Microsoft expects this vulnerability likely to be exploited soon.

Technical Details

The vulnerability exists in the HTTP/3 protocol stack of current Microsoft Windows systems. An attacker can exploit this vulnerability if the attacked system fulfils some prerequisites:

  • HTTP/3 needs to be active, and
  • the server uses buffered I/O.

If the system fulfils these prerequisites, an attacker can send a specially crafted packet to the system and trigger the vulnerability.

Affected Products

Microsoft Windows Server 2022, Microsoft Windows 11 (21H2,22H2).


CERT-EU strongly recommends applying the latest patches for Microsoft Windows Server 2022, focusing on Internet-facing systems first. Additionally, CERT-EU recommends applying the latest patches to systems running Microsoft Windows 11.


HTTP/3 support for services is a new feature in recent Windows operating systems. A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled, and the server uses buffered I/O. Therefore, disabling HTTP/3 via a registry key mitigates this vulnerability [2].




We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.