June 2026 Patch Tuesday: Wormable Kernel Bug, Exchange Under Active Attack

Microsoft's June 2026 Patch Tuesday landed on June 9 with fixes for more than 200 vulnerabilities — the largest single-month release in the program's history, eclipsing October 2025's previous record of 167 CVEs. For most businesses, the volume is noise. Three vulnerabilities in this batch are not.

The Wormable Kernel Flaw Drawing Comparisons to EternalBlue

CVE-2026-45657 is a use-after-free bug in the Windows kernel's TCP/IP stack affecting Windows 11 (versions 23H2 through 26H1) and Windows Server 2022 and 2025 on x64 and ARM64. CVSS score: 9.8. An unauthenticated attacker can send crafted network packets and achieve SYSTEM-level code execution with no user interaction required. Microsoft has classified it as wormable — meaning a successful exploit can self-propagate to additional vulnerable machines without any human assistance.

That word carries specific weight. The last widely known wormable Windows kernel TCP/IP flaw was the EternalBlue exploit that WannaCry and NotPetya weaponized in 2017, infecting more than 200,000 systems across 150 countries within days of hitting the internet. CVE-2026-45657 is not EternalBlue yet — no public exploit exists as of this writing — but researchers at Zero Day Initiative noted as of June 9 that active patch-diffing efforts are already underway to develop one. The window to patch before that changes is measured in days, not weeks.

Exchange Server: Already Exploited Since May 14

CVE-2026-42897 is a cross-site scripting flaw in Outlook Web Access affecting Exchange Server 2016, 2019, and the current Subscription Edition. Attackers have been actively exploiting it since May 14 — a full 26 days before Microsoft shipped a permanent patch. A crafted email allows an attacker to execute arbitrary JavaScript inside an authenticated OWA browser session, which is sufficient to steal session tokens and impersonate the mailbox owner without any server-side compromise.

Microsoft deployed server-side mitigations through the Exchange Emergency Mitigation Service after exploitation was confirmed, but on-premises deployments that have EEMS disabled — whether by policy, network restriction, or neglect — had no protective barrier until Tuesday's patch. If your organization runs Exchange on-premises, this fix is not optional and is not covered by a future maintenance window.

Microsoft Defender Was Exploited Too

CVE-2026-41091, tracked as "RedSun" by researchers, is an elevation-of-privilege flaw in Microsoft Defender itself — CVSS 7.8. CISA added it to the Known Exploited Vulnerabilities catalog on May 20 and it shipped as an out-of-band update, separate from Tuesday's formal batch. That distinction matters: organizations relying solely on Patch Tuesday cycles may have missed it. Defender auto-updates on most endpoints, but managed environments with deferred update rings, GPO-controlled update settings, or air-gapped infrastructure should verify the fix is actually present.

Three More Rated CVSS 9.8

Beyond the headliners, this release contains three additional critical-severity remote code execution vulnerabilities worth specific attention:

• CVE-2026-47291 — HTTP.sys Remote Code Execution. Remote, unauthenticated, no user interaction. Affects the HTTP server stack underlying IIS and other Windows-hosted services.
• CVE-2026-44815 — DHCP Client Remote Code Execution. A stack-based buffer overflow that can be triggered by a rogue DHCP server on the same network segment. No internet exposure needed — a compromised device inside your network can propagate laterally to any unpatched Windows client that renews its lease.
• CVE-2026-49160 — The "HTTP/2 Bomb." A denial-of-service flaw that abuses HTTP/2 header compression to exhaust system memory at a rate that can consume roughly 64 GB of RAM in under a minute on an unpatched server. Microsoft added a MaxHeadersCount registry key as an immediate workaround pending patch deployment.

Why Record Volume Should Change Your Patching Calculus

The 200-plus CVE count is not a fluke. AI-assisted vulnerability research is accelerating the rate at which flaws get found and reported, compressing the time between "patch released" and "researchers have an exploit skeleton." That is broadly a good thing — flaws get fixed — but it also means the patch window businesses have before exploitation becomes trivial keeps narrowing.

The DHCP client flaw illustrates a subtler risk: not every critical vulnerability requires an internet-facing server. CVE-2026-44815 requires only that a Windows client request a DHCP lease from an attacker-controlled device on the same broadcast domain. Shared hosting environments, co-location facilities, and office networks with uncontrolled device access all create that condition naturally. Patching internet-facing servers first is correct; patching everything else "eventually" is not.

What to Do This Week

• Deploy June's update immediately — via Windows Update, WSUS, or your patch management platform. Internet-facing Windows servers take priority, but all Windows 10/11 and Server 2019/2022/2025 machines need this update.
• Exchange on-premises: Verify CVE-2026-42897 is patched and confirm the Exchange Emergency Mitigation Service is active. Cross-reference your Exchange build number against Microsoft's June 9 CU release notes.
• Defender out-of-band fix (CVE-2026-41091): Check managed and air-gapped endpoints explicitly — auto-update is not sufficient for deferred-ring deployments.
• Segment Windows Server 2022/2025 hosts: CVE-2026-45657 targets these specifically. Network segmentation limits lateral movement if an exploit surfaces in the coming days.
• Consider disabling HTTP/2 on IIS if it is not in use — this removes the entire attack surface for CVE-2026-49160 with no application impact in many configurations.

The 2017 response to WannaCry was straightforward: patch SMBv1, block port 445. The 2026 equivalent of that discipline is faster patching across a wider surface, with network monitoring that can catch exploit-pattern traffic before a foothold is established. At Falcon Internet, 24x7x365 NOC monitoring means anomalous traffic consistent with exploitation attempts gets flagged in the window between "patch dropped" and "exploit published" — which is precisely when it matters most.