# cve-2022-21907-http.sys by 1vere$k
CVE-2022-21907 - Double Free in http.sys driver.  

## Summary
An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.

## Vulnerable systems

Windows Server 2019 and Windows 10 version 1809:
- Not vulnerable by default. Unless you have set the HTTP Trailer Support.
- Windows 10 version 2004 (build 19041.450): **Vulnerable**

## Contact
You are free to contact me via [Keybase]( for any details.