Microsoft shipped its June 2026 Patch Tuesday updates on 9 June, and the volume alone is a signal: this is among the heaviest single-month releases the company has ever published. The exact tally varies by tracker — Tenable reported 198 CVEs while the Zero Day Initiative and several outlets counted 206 to 208 — so it is fair to say more than 200 vulnerabilities were addressed across Windows, Exchange, the kernel and supporting components. Buried in it is one flaw that deserves to jump every other item on your patch queue.
That flaw is CVE-2026-45657, a Windows Kernel remote code execution bug with the combination that keeps incident responders awake: high severity, no authentication, no clicks, and self-spreading potential. Here is what it is, why “wormable plus unauthenticated” is the dangerous phrase, what else in this cycle matters, and a prioritised action list for Indian IT and security teams.
What CVE-2026-45657 actually is
Microsoft’s advisory describes CVE-2026-45657 as a Windows Kernel remote code execution vulnerability. Write-ups from the Zero Day Initiative and others characterise it as a use-after-free condition in the kernel’s handling of network traffic, reached by sending specially crafted packets to a vulnerable host. It carries a CVSS base score of 9.8, and the published CVSS vector confirms the three properties that matter most: attack vector is network, privileges required is none, and user interaction is none.
Put plainly: an attacker who can send packets to the affected service can run code at SYSTEM level without any credentials and without tricking a user into clicking anything. Microsoft confirmed it affects a broad range of current platforms, reportedly including Windows 11 (23H2 through 26H1, x64 and ARM64) and Windows Server 2022 and 2025, including Server Core installations.
Why “wormable + unauthenticated” is the phrase to worry about
“Wormable” means a successful exploit can be packaged to spread on its own — a compromised host scans for other reachable vulnerable hosts and infects them automatically, with no operator and no phishing email in the loop. Combine that with “unauthenticated” and “no user interaction” and you have the exact profile that made EternalBlue the engine behind WannaCry and NotPetya in 2017. One exposed, unpatched machine becomes a foothold; from there the spread is mechanical.
One nuance, stated honestly: Microsoft rated CVE-2026-45657 as “Exploitation Less Likely” at release, and as of publication there is no public report of it being exploited in the wild. That is good news, not a reason to relax. As ZDI noted, a flaw this attractive is reverse-engineered by researchers and adversaries the moment the patch ships — the patch itself is a roadmap to the bug. The window between “patch released” and “working exploit” for a 9.8 wormable kernel bug is historically short. Treat the rating as breathing room to deploy, not permission to wait.
The rest of this Patch Tuesday: scope and the bugs already being used
Beyond the headline, the breakdown reported by Tenable and BleepingComputer is sobering. Of the fixes, roughly 33 were rated Critical, with around 28 of those being remote code execution flaws; across all severities, BleepingComputer tallied about 55 RCE bugs and 65 elevation-of-privilege bugs.
Microsoft and ZDI also flagged multiple zero-days this month — reports range from three to six, with several publicly disclosed before patches existed. The one that should change your sequencing is CVE-2026-41091, a Microsoft Defender elevation-of-privilege flaw (CVSS 7.8) that ZDI and Tenable both note is actively exploited in the wild and was added to CISA’s CISA KEV (KEV) catalog. An EoP bug is not a front-door breach on its own, but attackers chain them: a payload gets initial code execution, then a Defender EoP escalates it to SYSTEM. That is a live attack chain, not a hypothetical.
| CVE | Component | Severity / CVSS | Exploited? |
|---|---|---|---|
| CVE-2026-45657 | Windows Kernel (RCE) | Critical / 9.8 | Not yet observed; wormable, unauthenticated |
| CVE-2026-41091 | Microsoft Defender (EoP) | Important / 7.8 | Yes — actively exploited, in CISA KEV |
| CVE-2026-47291 | Windows HTTP.sys (RCE) | Critical / 9.8 | Not reported |
| CVE-2026-44815 | Windows DHCP Client (RCE) | Critical / 9.8 | Not reported |
| CVE-2026-42904 | Windows TCP/IP (RCE) | Critical / 9.6 | Not reported |
| CVE-2026-49160 | HTTP.sys (DoS, “HTTP/2 Bomb”) | Important / 7.5 | Publicly disclosed zero-day |
| CVE-2026-50507 | BitLocker bypass | Important / 6.8 | Publicly disclosed (physical access) |
The clustering of CVSS 9.8 RCEs in network-facing services — Kernel, HTTP.sys, DHCP, TCP/IP — is the real story of this month. These are the components that parse untrusted packets, which is precisely where an unauthenticated remote attacker wants to be.
Who is at risk in India
If you run any Windows workload reachable from the internet or an untrusted segment, you are in scope. The highest-risk profiles: internet-exposed Windows Server (RDP gateways, IIS/HTTP.sys web servers, VPN concentrators, anything with a public IP); flat internal networks where one compromised laptop can reach domain controllers and file servers, which is exactly where wormable bugs thrive; unmanaged or legacy fleets such as OT-adjacent hosts, kiosks and branch machines that miss patch cycles; and core network services, since the DHCP Client and Server RCEs (CVE-2026-44815, CVE-2026-45602) put DHCP itself in the blast radius.
Prioritised patch action list
- Inventory first. You cannot patch what you cannot see. Confirm which hosts run affected Windows 11 and Server 2022/2025 builds, and flag every internet-facing or DMZ asset.
- Prioritise internet-exposed hosts. Any Windows system reachable from outside or from an untrusted network gets CVE-2026-45657 and the other 9.8 RCEs (HTTP.sys, DHCP, TCP/IP) first — ideally within 48–72 hours.
- Deploy CVE-2026-41091 alongside it. It is the one already being exploited; an unpatched Defender EoP is the escalation step in live chains. Do not deprioritise it because it is “only” Important.
- Test, then ring out. Validate the June cumulative update on a pilot ring, then push to production in waves. Skipping testing on a bundle this size invites operational breakage.
- Compensating controls if you cannot patch immediately. Restrict inbound access to RDP/SMB/HTTP/DHCP at host and network firewalls; put exposed services behind a VPN or zero-trust gateway; segment so a single compromise cannot fan out; and raise EDR sensitivity on affected segments. These reduce blast radius — they do not remove the bug.
- Verify after deployment. Confirm the patch level on every targeted host and watch for failed updates. A reported patch is not an applied patch.
If exploitation leads to an incident: the CERT-In clock
For Indian organisations, a successful exploit is not just a technical problem — it triggers a reporting obligation. Under CERT-In’s April 2022 Directions, organisations must report covered cyber incidents within 6 hours of noticing them or being made aware. A wormable kernel RCE that leads to mass compromise is squarely the kind of incident that clock is written for. Make sure CERT-In notification is already baked into your incident-response runbook — our CERT-In Directions guide walks through what to report and how. The time to read it is before the alert, not during.
How RingSafe helps
Patch Tuesday is monthly; the window between release and exploitation is where organisations get hurt. RingSafe helps Indian teams close it: managed patching and asset inventory so internet-facing Windows hosts are found and remediated on a tight SLA; VAPT services to confirm whether exposed services are actually reachable and exploitable from outside; and continuous monitoring so an in-progress compromise is caught early. If you are weighing how to staff detection and response, our breakdown of MDR vs SOC vs SIEM for Indian SMBs is a practical starting point.
Frequently Asked Questions
Is CVE-2026-45657 being exploited in the wild right now?
As of publication there is no public report of active exploitation, and Microsoft rated it “Exploitation Less Likely.” That is not a reason to delay. A wormable, unauthenticated CVSS 9.8 kernel RCE is a high-value target, and researchers begin reverse-engineering the patch the moment it ships. The safe assumption is that the exploitation window is short — patch internet-facing hosts now.
How many CVEs did Microsoft fix in June 2026?
More than 200, making it one of the largest Patch Tuesday releases on record. Counts vary by tracker — Tenable reported 198 while the Zero Day Initiative and several outlets counted 206 to 208 — because they differ on how republished and third-party entries are tallied. Roughly 33 were Critical, the majority of those being remote code execution.
We cannot patch every server this week — what do we do first?
Sequence by exposure, not CVSS alone. Patch internet-facing and DMZ Windows hosts against the CVSS 9.8 RCEs (Kernel, HTTP.sys, DHCP, TCP/IP) first, and deploy the actively exploited Defender EoP (CVE-2026-41091) in the same wave. For the rest, restrict inbound access, segment, and raise EDR monitoring until the update lands.
The full advisory for CVE-2026-45657 is on Microsoft’s Security Update Guide. To find which of your Windows systems are exposed and get them patched before an exploit lands, talk to RingSafe — we will help you scope the risk and close the window fast.
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.