By Microsoft’s June 2026 Patch Tuesday was the largest in the program’s 23-year history — 208 CVEs fixed in a single drop. One flaw stands above the rest: CVE-2026-45657, a use-after-free in the Windows Kernel’s TCP/IP processing code rated CVSS 9.8. No authentication required, no user interaction, network-reachable. Microsoft has explicitly classified it as wormable. Patches are available. Researchers are already reversing them. You have a narrowing window to act.
What the Flaw Actually Does
CVE-2026-45657 is a use-after-free vulnerability — the kernel continues referencing heap memory after it has been freed. An attacker who sends crafted TCP/IP packets to a vulnerable machine can write into that freed memory and achieve SYSTEM-level code execution remotely. No credentials. No click required. The attack works over the network, meaning it can be triggered from the internet against any exposed Windows machine.
The CVSS 9.8 score reflects exactly this: low attack complexity, no privileges needed, no user interaction, network attack vector, complete compromise of confidentiality, integrity, and availability. The only reason it isn’t a perfect 10 is that scope is rated unchanged — but that’s where the wormable classification fills the gap.
Why “Wormable” Is the Word That Should Wake You Up
Microsoft doesn’t use the word “wormable” lightly. The classification means a successful exploit has the technical characteristics to self-propagate across networks — infecting one machine, then using that foothold to reach and infect others, all without human assistance.
If that profile sounds familiar, it should. EternalBlue (CVE-2017-0144) had the same shape: SMBv1, no auth, wormable, CVSS 9.8. Microsoft patched EternalBlue on March 14, 2017. WannaCry weaponized it on May 12, 2017 — 57 days later. The result: 230,000+ machines across 150 countries, damage estimates reaching $4 billion, the NHS brought to its knees, FedEx hobbled for weeks.
In 2026, with AI-assisted patch analysis in every exploit researcher’s toolkit, 57 days is an optimistic estimate. The window between patch release and weaponized exploit is shrinking. The Zero Day Initiative put it plainly in their June 2026 review: “Every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit.”
Who Is Affected
CVE-2026-45657 affects all currently supported Windows desktop and server releases:
- Windows 11 23H2, 24H2, 25H2, and 26H1 (x64 and ARM64)
- Windows Server 2022 (including Server Core)
- Windows Server 2025 (including Server Core)
If your organization runs any of these versions — and nearly all do — you have affected systems. There are no configuration exceptions. If the OS version is listed, it is vulnerable until patched.
Patch It Now: KB Numbers and Steps
The fix ships as part of the June 2026 cumulative updates. Find your KB:
- Windows 11 26H1: KB5095051
- Windows 11 25H2 / 24H2: KB5094126
- Windows 11 23H2: KB5093998
- Windows Server 2025: KB5094125
- Windows Server 2022: KB5094128
For individual machines: Settings → Windows Update → check for updates → install the June 2026 Cumulative Update → reboot.
For enterprise environments: Approve the June 2026 cumulative updates in WSUS or deploy via SCCM/Intune. Prioritize all Windows 11 and Windows Server systems. Don’t wait for your standard maintenance window — create an emergency change. And critically: enforce the reboot. A kernel patch that hasn’t been loaded is not a patch. The old kernel remains in memory until the system restarts, leaving the machine fully vulnerable.
Temporary Measures While You Work Through Deployment
Patching thousands of machines takes time. While you work through the queue:
- Firewall rules: Restrict inbound TCP traffic to internet-facing servers not yet patched
- Network segmentation: Isolate high-value systems from external-facing network segments
- Monitor: Watch for unusual TCP-based lateral movement patterns in your SIEM
These are not replacements for the patch. They reduce exposure while you close the gap. Do not treat network controls as a long-term solution for a CVSS 9.8 wormable kernel flaw.
The “Exploitation Less Likely” Rating Is Not Reassurance
Microsoft’s “Exploitation Less Likely” assessment reflects the technical complexity of weaponizing this flaw at the time of disclosure. It is not a promise about next week. There is no confirmed public exploit today — that is the one piece of good news. But the vulnerability is fully described in the patch diff, every major exploit development shop is working on it, and AI-assisted reverse engineering has fundamentally changed how quickly patches become weapons.
The EternalBlue window was 57 days in 2017 with manual exploit development. Do not assume you have 57 days this time. Apply the June 2026 cumulative update to every affected system, prioritize internet-facing servers and machines with broad network access, reboot everything, and verify patch compliance in your asset management tooling. Do it this week.
