Microsoft Patches 206 Flaws Including Wormable Kernel RCE

Microsoft dropped its largest Patch Tuesday release ever yesterday, addressing 206 security vulnerabilities across Windows, Office, Azure, and related products. The June 2026 update shatters the previous record of 167 CVEs and includes three actively exploited or publicly disclosed zero-days that demand immediate attention.

The headline flaw is CVE-2026-45657, a use-after-free vulnerability in the Windows Kernel that carries the maximum practical severity. With a CVSS score of 9.8, this bug permits remote, unauthenticated attackers to execute code at SYSTEM level without any user interaction. The underlying issue stems from improper TCP/IP kernel handling, and security researchers are already warning the flaw is potentially wormable across enterprise networks.

What Makes This Patch Critical

CVE-2026-45657 affects a broad swath of supported Microsoft platforms: Windows 11 versions 23H2 through 26H1 across both x64 and ARM64 architectures, plus Windows Server 2022 and Windows Server 2025 including Server Core installations. An attacker could trigger the vulnerability by sending specially crafted network traffic to vulnerable systems.

Microsoft tagged CVE-2026-45657 as "Exploitation Less Likely" in its official advisory, but this assessment sparked immediate skepticism. As the Zero Day Initiative noted in their June 2026 Security Update Review, "every researcher and bug shop on the planet is reversing this patch right now." Given the network-based attack vector and lack of authentication requirements, exploit development timelines could be measured in days rather than weeks.

This represents a significant escalation from the BitLocker bypass vulnerabilities we covered in May, which required local access. A wormable kernel RCE is a different class of threat entirely.

Additional Critical Vulnerabilities

Beyond the kernel flaw, several other critical-severity issues warrant immediate patching:

CVE-2026-47291 (HTTP.sys RCE) - Another CVSS 9.8 vulnerability affecting the Windows HTTP stack. Remote, unauthenticated attackers can execute code on systems where the default MaxRequestBytes registry value has been modified. Organizations running custom HTTP.sys configurations should prioritize this patch.

CVE-2026-44815 (DHCP Client RCE) - A CVSS 9.8 flaw in the DHCP Client Service that affects all Windows versions with the ubiquitous DHCP client component. Conflicting documentation from Microsoft suggests unauthenticated exploitation may be possible despite initial claims otherwise.

CVE-2026-45641 (Hyper-V Guest-to-Host) - A critical remote code execution vulnerability enabling guest-to-host escape in Hyper-V environments. Organizations running multi-tenant virtualization infrastructure face particular risk.

Zero-Days Already in Play

Three vulnerabilities were publicly known or under active exploitation at patch release:

1. CVE-2026-50507 - A BitLocker security feature bypass related to the "GreenPlasma" attack disclosed last month
2. CVE-2026-45585 - Another BitLocker bypass addressing the "YellowKey" technique
3. CVE-2026-49160 - A denial-of-service vulnerability in HTTP.sys that was publicly disclosed before patches shipped

The HTTP.sys DoS flaw is particularly concerning because threat actors could weaponize it to disrupt web-facing Windows servers before organizations complete their patch cycles.

Recommended Mitigations

1. Prioritize CVE-2026-45657 - The wormable kernel RCE poses the highest risk. Test and deploy this patch within 24-48 hours if possible
2. Review Hyper-V deployments - Guest-to-host escapes have historically attracted advanced threat actors
3. Audit HTTP.sys configurations - Non-default MaxRequestBytes values increase exposure to CVE-2026-47291
4. Monitor network traffic - Watch for unusual TCP/IP patterns that could indicate exploitation attempts

For organizations still running legacy Windows 10 under extended security updates, Microsoft released KB5094127 addressing the same vulnerability set. The CISA Known Exploited Vulnerabilities catalog will likely add several of these flaws in the coming days, triggering mandatory remediation deadlines for federal agencies.

Why This Matters

A wormable kernel vulnerability changes the threat calculus. Unlike the authentication bypass and local privilege escalation flaws that dominated recent months, CVE-2026-45657 could enable self-propagating attacks reminiscent of WannaCry or NotPetya. The lack of required user interaction means compromising a single exposed system could cascade across flat network segments within minutes.

Security teams should treat this Patch Tuesday as a critical event. The combination of a record CVE count, multiple zero-days, and a potentially wormable kernel flaw creates compounding risk. Organizations relying on delayed patching strategies may want to reconsider that approach given what researchers are calling the most severe Windows vulnerability disclosure of 2026.