By Microsoft’s June 2026 Patch Tuesday fixed a record 206 vulnerabilities. Most of them can wait. Two cannot. CVE-2026-45657, a use-after-free in the Windows Kernel TCP/IP stack, and CVE-2026-47291, an integer overflow in HTTP.sys, both carry a CVSS of 9.8. Both require no authentication, no user interaction, and are reachable over the network. Microsoft has flagged CVE-2026-45657 as wormable. Security researchers are comparing it to EternalBlue. That is not marketing language — it is a countdown.
CVE-2026-45657: Wormable Kernel RCE
CVE-2026-45657 is a use-after-free vulnerability in the Windows Kernel’s TCP/IP stack. An unauthenticated attacker can send specially crafted network packets to a vulnerable system and achieve code execution at SYSTEM level — the highest privilege on Windows. No credentials, no phishing link, no misconfigured service. Just packets.
The affected systems are Windows 11 versions 23H2 through 26H1 and Windows Server 2022 and 2025, including Server Core installations. Microsoft has already classified this flaw as wormable, meaning a successful exploit can self-propagate across unpatched machines on the same network — the exact behavior that made WannaCry catastrophic in 2017.
The EternalBlue parallel is worth taking seriously. Microsoft patched MS17-010 on March 14, 2017. Shadow Brokers leaked the exploit a month later. WannaCry hit in May. The patch itself starts the clock: once a diff is public, reverse-engineering begins. Dustin Childs at the Zero Day Initiative put it plainly — every researcher and bug shop is already working on this. There is no workaround for CVE-2026-45657. The June 2026 Cumulative Update is the only fix.
CVE-2026-47291: HTTP.sys RCE With a Registry Workaround
CVE-2026-47291 is an integer overflow in HTTP.sys — the kernel-mode driver that powers IIS, Windows Remote Management, and any application using the Windows HTTP Server API. An attacker sends an oversized HTTP request. The overflow triggers, and the result is kernel-level code execution, unauthenticated over the network.
The blast radius is wider than CVE-2026-45657. Affected systems span Windows Server 2012 through 2025, plus Windows 10 versions 1607 and later. If you are touching any of those versions, HTTP.sys is in scope.
There is one important nuance: systems using the default MaxRequestBytes value of 16,384 bytes (16 KB) are not impacted. The vulnerability only triggers when this registry value has been elevated above 65,534 bytes. That sounds narrow until you realize how many teams increase MaxRequestBytes to support large API payloads or file uploads — and then forget about it.
Check Your HTTP.sys Exposure Now
Before you apply the patch, confirm your HTTP.sys configuration. Run this in an elevated PowerShell session on any affected Windows system:
$path = "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters"
$current = Get-ItemProperty -Path $path -Name MaxRequestBytes -ErrorAction SilentlyContinue
if ($current) {
Write-Host "MaxRequestBytes: $($current.MaxRequestBytes)"
if ($current.MaxRequestBytes -gt 65534) {
Write-Host "WARNING: System is vulnerable. Applying mitigation..."
New-ItemProperty -Path $path -Name MaxRequestBytes -PropertyType DWORD -Value 16384 -Force
Write-Host "Mitigation applied. Restart the HTTP service or reboot."
} else {
Write-Host "OK: Value is within safe range."
}
} else {
Write-Host "OK: MaxRequestBytes not set — using default (16384). Safe."
}If the script reports a value above 65,534 and you cannot patch immediately, setting MaxRequestBytes back to 16,384 is the interim mitigation Microsoft recommends. Apply the June 2026 Cumulative Update afterward.
Side-by-Side: What You Are Dealing With
| CVE-2026-45657 | CVE-2026-47291 | |
|---|---|---|
| Component | Windows Kernel (TCP/IP) | HTTP.sys |
| Flaw type | Use-after-free | Integer overflow |
| CVSS | 9.8 | 9.8 |
| Auth required | No | No |
| User interaction | No | No |
| Wormable | Yes (Microsoft confirmed) | Potential |
| Workaround | None — patch only | Registry (MaxRequestBytes) |
| Affected OS | Win 11, Server 2022/2025 | Win 10/11, Server 2012–2025 |
What to Do
Apply the June 2026 Cumulative Update. Do not schedule this for next sprint. Prioritize internet-facing systems first — IIS servers, API gateways, WinRM-enabled endpoints, and self-hosted Windows build agents. CI/CD pipelines using PSRemoting or Ansible over WinRM have HTTP.sys in their path and are in scope for CVE-2026-47291.
For CVE-2026-47291, run the PowerShell check above before patching to identify and close the registry exposure. After patching, verify via Windows Update history that the June 2026 update KB entries are present. Network segmentation limits lateral movement after a breach, but it is not a substitute for the patch.
The window between patch release and weaponized exploit closes faster every year. WannaCry took two months. Modern exploit pipelines move faster. If your Windows Server estate is not patched by end of this week, the risk calculus shifts significantly. Bleeping Computer has the full CVE list if you want to triage your full exposure across all 206 fixes.
