Microsoft released security fixes for more than 200 vulnerabilities on June 9, 2026 — the largest single Patch Tuesday in the program's history since its founding in 2003 — while a security researcher simultaneously published working exploit code for a newly discovered Windows Defender flaw, leaving enterprise security teams facing one of the most demanding patch days on record. The release, which Trend Micro Zero Day Initiative researcher Dustin Childs counted at 208 CVEs, includes a wormable kernel vulnerability rated CVSS 9.8 that requires no credentials and no user interaction to exploit, a combination that has set off alarm bells across the security industry.
The headline threat this cycle is CVE-2026-45657, a use-after-free flaw in the Windows Kernel rooted in how the operating system processes TCP/IP traffic. A use-after-free vulnerability occurs when code continues to reference memory that has already been freed and returned to the system; an attacker who can control what gets placed in that reclaimed memory region can redirect program execution to arbitrary code. Because this flaw sits inside the kernel's TCP/IP stack — the layer that processes network packets before any user-space security control sees them — an unauthenticated attacker on the internet can send specially crafted packets to a vulnerable machine and achieve SYSTEM-level code execution with no user involvement. Microsoft itself classified the flaw as wormable under certain network configurations, meaning a successful exploit could self-propagate to additional vulnerable machines without human assistance. Childs was blunt in his assessment: "Rest assured that every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit. Test and deploy this patch quickly."
That warning carries historical weight. In May 2017, a wormable Windows flaw called EternalBlue allowed the WannaCry ransomware to spread to more than 200,000 systems across 150 countries — even though Microsoft had issued a patch two months earlier. Organizations that delayed deploying that patch paid the price. The window between CVE-2026-45657's patch release and a reliable public exploit may be measured in days rather than weeks, according to multiple security researchers.
The same day Patch Tuesday dropped, "Nightmare Eclipse" — a researcher with a documented history of escalating Windows exploit releases going back to April 2026 — published proof-of-concept code for "RoguePlanet," a new Windows Defender zero-day that abuses a race condition to spawn a command shell running with SYSTEM-level privileges. Multiple independent researchers confirmed the proof of concept achieves local privilege escalation. Nightmare Eclipse noted that a prior Microsoft Defender patch from May appeared to have prevented remote code execution; the attack is presently limited to local escalation but remains unpatched as of publication.
Wormable Kernel Flaw in TCP/IP Stack: Patch Before an Exploit Drops
CVE-2026-45657 affects Windows 11 versions 23H2 through 26H1 on both x64 and ARM64 architectures, as well as Windows Server 2022 and Server 2025 including Server Core installations. Microsoft's official CVSS vector string confirms Attack Vector: Network, Authentication: None, and User Interaction: None — the three properties that, in combination, make a vulnerability wormable. The base score of 9.8 reflects the maximum possible blast radius; the temporal score of 8.5 reflects that exploit code has not yet been confirmed in the wild. ZDI researchers warned that mass exploitation becomes a realistic scenario the moment a reliable exploit surfaces publicly, historically a window that can close within days of patch reversal.
Three Publicly Disclosed Zero-Days Already in Researchers' Hands
Beyond the wormable kernel bug, three vulnerabilities patched this cycle were publicly disclosed before fixes arrived, meaning threat actors had time to study them before a patch was available.
CVE-2026-49160 — HTTP.sys Denial of Service. This flaw in HTTP.sys, the Windows kernel-mode driver that handles HTTP and HTTPS traffic for Internet Information Services and other components, is tied to the "HTTP/2 Bomb" attack technique. A researcher testing the vulnerability against an IIS server reported that it exhausted 64 gigabytes of RAM in approximately 45 seconds under the attack. Notably, this flaw was identified and submitted by OpenAI's Codex, marking one of the first publicly attributed AI-submitted CVEs in a major Patch Tuesday cycle. Microsoft has included a new MaxHeadersCount registry setting as an interim mitigation that limits the number of HTTP/2 and HTTP/3 headers processed per request; systems already using the default MaxRequestBytes registry value are not affected, and Microsoft's bulletin includes a PowerShell script to apply the registry fix quickly.
CVE-2026-50507 — BitLocker Security Feature Bypass ("YellowKey"). This vulnerability requires physical access to a target device but allows an attacker to bypass BitLocker's full-disk encryption and read the data on an encrypted drive. ZDI and multiple researchers identify this as the patch for the "YellowKey" vulnerability disclosed by Nightmare Eclipse. For enterprises relying on BitLocker to protect data on lost or stolen laptops — effectively every endpoint security policy — this patch is non-negotiable before any device leaves a controlled environment.
CVE-2026-45586 — Windows CTFMON Privilege Escalation ("GreenPlasma"). A flaw in the Windows Collaborative Translation Framework allows an authenticated local attacker to escalate privileges to SYSTEM level. Microsoft assessed exploitation as "More Likely," and this vulnerability is widely believed to be the one Nightmare Eclipse previously weaponized as "GreenPlasma." It is patched alongside the separately disclosed RoguePlanet proof of concept.
Two CVEs Confirmed Exploited: Defender and Exchange Need Immediate Action
Two vulnerabilities in this cycle are confirmed to have been exploited in the wild before June 9.
CVE-2026-41091 — Microsoft Defender Elevation of Privilege. Microsoft patched this out-of-band on May 19, 2026, but the formal June Patch Tuesday update includes its official distribution. Multiple independent parties acknowledged active exploitation, which ZDI notes indicates likely significant scope. The good news: Defender updates itself automatically for most users. Organizations running Defender in isolated environments or with automatic updates disabled must apply the update manually.
CVE-2026-42897 — Microsoft Exchange Server (Actively Exploited). This cross-site scripting flaw in the Outlook Web Access component of Exchange Server 2016, 2019, and Subscription Edition was confirmed under active exploitation on May 14, and CISA added it to the Known Exploited Vulnerabilities catalog the following day. An attacker who sends a crafted email to a recipient who opens it in OWA can execute arbitrary JavaScript inside the authenticated browser session, enabling session token theft and mailbox impersonation without touching the server itself. June 9 Patch Tuesday provides the first permanent fix.
Other Critical Vulnerabilities Requiring Prioritized Response
The 208-CVE payload includes 38 flaws rated Critical. Several beyond the headline threats warrant fast treatment.
CVE-2026-44815 — DHCP Client Remote Code Execution (CVSS 9.8). A stack-based buffer overflow in the Windows DHCP Client Service allows unauthenticated remote code execution without user interaction — though researchers note that Microsoft's write-up contains a contradiction, stating the flaw requires an authenticated user while the CVSS score indicates no authentication. ZDI recommends trusting the CVSS score and patching accordingly. Alex Vovk, CEO of Action1, described the risk plainly: "This flaw needs no credentials or user action and can turn network traffic into a full system compromise." The DHCP client runs on virtually every Windows machine, making the attack surface as broad as the installed base.
CVE-2026-47291 — HTTP.sys Remote Code Execution (CVSS 9.8). A second HTTP.sys entry this month, this one enabling full remote code execution rather than denial of service. The same MaxRequestBytes registry caveat applies: systems using the default value are not affected. ZDI also flagged this for fast deployment.
Remote Desktop Client Cluster (multiple CVEs, CVSS 8.8). A collection of heap overflow vulnerabilities — several tagged "Exploitation More Likely" by Microsoft — trigger when a user connects to a malicious RDP server. Multiple CVEs in this cluster, including CVE-2026-42985 and CVE-2026-47289, are rated Critical. Remote workers and IT administrators with broad RDP habits should treat their workstations as a priority.
Windows Deployment Services, Hyper-V, Kerberos, Active Directory. A use-after-free in the Windows Server OS installation utility (exploitable via malicious TFTP traffic), three Critical Hyper-V remote code execution flaws capable of guest-to-host escape, an Active Directory Domain Services flaw (CVE-2026-45648), and a Kerberos KDC vulnerability (CVE-2026-47288) round out the most serious server-side entries.
Eight-CVE Microsoft Office Cluster. Critical remote code execution vulnerabilities in Word and Outlook are included in this release and should be patched on any endpoint that opens email attachments or Office files.
AI Is Both the Source and the Solution — and the Problem May Get Worse
The record-setting patch volume is not coincidental, and this month's release may not be the ceiling. Satnam Narang, senior staff research engineer at Tenable, identified the structural driver: Microsoft's own engineers and the wider security community are increasingly using AI to find vulnerabilities, and the rate is accelerating. "Pandora's proverbial box has been opened," Narang said, "and as more advanced AI models become available, we expect the norm to continue upward across the board."
The evidence is now traceable to specific CVEs. CVE-2026-49160, the HTTP/2 Bomb denial-of-service flaw in this cycle, was identified and submitted by OpenAI's Codex, one of the first named AI-system attributions in a major Patch Tuesday cycle. Microsoft announced its MDASH (Multi-Model Agentic Scanning Harness) system at Microsoft Build 2026 on June 2, a pipeline of more than 100 specialized AI agents that identified 16 vulnerabilities in the May Patch Tuesday release alone across Windows networking and authentication components.
The downstream pressure is expected to intensify. AI-assisted discovery tools — from Microsoft's own internal systems to external models — are producing CVE volumes that were previously impossible at human research speed. Anthropic's Project Glasswing has reportedly identified thousands of zero-day vulnerabilities across major operating systems, with more than 99 percent of those findings still under coordinated disclosure; the 90-day window opens in early July 2026. Security industry analysts expect the July Patch Tuesday to be comparable in scale to June's. CrowdStrike's 2026 Global Threat Report documented a 42 percent year-over-year increase in zero-days exploited prior to public disclosure, reflecting a threat ecosystem accelerating in parallel with discovery tooling on both sides.
For security teams, this is the operational reality of AI-speed vulnerability discovery colliding with a patch cadence designed in 2003 for human-speed research. The question is not whether to patch more aggressively than last year — it is whether the current monthly model can survive contact with an AI-powered disclosure wave that is only beginning.
Secure Boot Deadline Arrives in 17 Days
Seventeen days from now, on June 26, 2026, Microsoft's mandatory Secure Boot certificate rotation deadline arrives. This is the last regular Patch Tuesday before that deadline. Organizations that have not completed the Windows UEFI CA 2023 certificate rotation on all devices face a hard cutoff that could result in boot-level security failures. The June 2026 release includes ten Secure Boot patches, several carrying CVSS "scope change" ratings indicating exploitation that pushes past the vulnerable component into pre-OS execution and Virtual Secure Mode.
Patch Prioritization for Security Teams
Given the threat landscape this cycle, ZDI and multiple independent researchers align on the following prioritization:
Patch CVE-2026-45657 (Windows Kernel, wormable CVSS 9.8) immediately across all supported Windows 11 and Windows Server versions. Every hour of delay is an hour in which an attacker may complete exploit development.
Apply the HTTP.sys registry mitigation for CVE-2026-49160 now if patching cannot begin today, then patch CVE-2026-47291 (HTTP.sys RCE) on any server fronting HTTP traffic.
Patch CVE-2026-44815 (DHCP Client RCE, CVSS 9.8) across the full endpoint fleet.
Patch CVE-2026-50507 (BitLocker bypass, "YellowKey") before any device leaves physical control.
Patch the Remote Desktop Client cluster on workstations used for RDP administration; remind users not to connect to untrusted servers.
Apply the Exchange Server fix for CVE-2026-42897 immediately — this flaw has been actively exploited for weeks and a permanent patch is now available for the first time.
Patch Hyper-V hosts and Active Directory / Kerberos infrastructure to contain potential lateral movement in virtualized environments.
Confirm that CVE-2026-41091 (Defender EoP) has been applied in any isolated or update-disabled environment where automatic updates may not have run.
Verify Secure Boot certificate rotation on all devices before June 26.
Microsoft's Security Update Guide is the authoritative source for full patch details and affected version lists.
Frequently Asked Questions
How many CVEs did Microsoft patch in June 2026 Patch Tuesday?
Microsoft's June 2026 Patch Tuesday addressed more than 200 CVEs depending on counting methodology — Trend Micro's Zero Day Initiative counted 208, while Tenable counted 198 after excluding six vulnerabilities already resolved through servicing and two disclosed by other authorities. Including Chromium and third-party components bundled in Microsoft products, the total CVE count for the month reaches 571. All sources agree it is the largest single Patch Tuesday since the program's founding in 2003.
Is CVE-2026-45657 wormable and how dangerous is it?
CVE-2026-45657 is a CVSS 9.8 use-after-free vulnerability in the Windows Kernel TCP/IP stack that Microsoft classifies as wormable under certain network configurations, meaning a successful exploit could self-propagate to other unpatched machines without user interaction. An unauthenticated attacker on the internet can send specially crafted network packets to a vulnerable system and achieve SYSTEM-level code execution. No confirmed public exploit exists as of June 10, 2026, but security researchers worldwide are already reverse-engineering the patch to build one. ZDI's Dustin Childs warned that mass exploitation could follow the moment a reliable exploit surfaces.
What should I patch first from the June 2026 Patch Tuesday?
Start with the Windows Kernel (CVE-2026-45657, wormable CVSS 9.8), then the HTTP.sys RCE and denial-of-service pair (CVE-2026-47291 and CVE-2026-49160), then the DHCP Client RCE (CVE-2026-44815) on all endpoints. Patch Exchange Server (CVE-2026-42897) if it has not already been mitigated, and patch BitLocker-protected devices (CVE-2026-50507) before any device leaves physical control. Verify that the Defender EoP update (CVE-2026-41091) has applied automatically or apply it manually in isolated environments.
Why is Microsoft patching so many vulnerabilities every month in 2026?
AI-assisted vulnerability discovery tools — including Microsoft's own multi-model scanning system, third-party AI tools, and external AI models — are finding software flaws at a rate far exceeding historical human-researcher throughput. Microsoft's May 2026 Patch Tuesday addressed 138 vulnerabilities, and the June count broke the all-time record. Tenable's Satnam Narang noted that Microsoft's 2026 CVE total through mid-year already exceeds the entire 2018 annual count. Anthropic's Project Glasswing has reportedly identified thousands of additional zero-days across major operating systems, with coordinated disclosures expected to begin in July 2026.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
