Microsoft patched over 200 vulnerabilities on June 9, 2026, the largest Patch Tuesday ever, while a researcher dropped a live zero-day hours later. Here is what to fix first.
Microsoft's June 2026 Patch Tuesday: A Wormable Kernel Flaw, a Fresh Zero-Day, and the Biggest Patch Drop in History
Published: June 11, 2026
On June 9, 2026, Microsoft released fixes for more than 200 vulnerabilities, the largest single Patch Tuesday since the program launched in 2003. Hours later, a security researcher published working exploit code for a brand-new Windows Defender flaw that works on fully patched systems. Enterprise security teams are now facing one of the most demanding patch weeks on record.
The full CVE count, including Chromium and other third-party components bundled in Microsoft products, reaches 571 for June, according to Zero Day Initiative researcher Dustin Childs, who has tracked Patch Tuesday figures since 2017 and calls this by far the largest monthly release in that time.
But raw volume is not the real story. The real story is one wormable kernel bug, one live zero-day dropped by an angry researcher, and a Secure Boot deadline 17 days away. Here is what every business needs to know.
The Wormable Kernel Bug: CVE-2026-45657
The headline threat this cycle is CVE-2026-45657, a use-after-free flaw in the Windows Kernel rooted in how the operating system processes TCP/IP traffic. It carries a CVSS score of 9.8. Remote, unauthenticated attackers can execute code at SYSTEM level with no user interaction required. It is wormable, meaning an attack can spread from machine to machine across a network on its own, the same self-spreading quality that drove the 2017 WannaCry outbreak.
Microsoft confirmed: "An attacker could exploit this vulnerability by sending specially crafted network traffic to a vulnerable Windows system."
Affected systems include Windows 11 versions 23H2 through 26H1 and Windows Server 2022 and 2025, including Server Core. That covers essentially every supported Windows system your business runs.
Microsoft rated exploitation as "less likely," but security researchers are skeptical. Childs noted that every researcher and bug shop is now reversing this patch to build a working exploit. The window between patch release and a reliable public exploit may be days, not weeks.
Patches to apply:
- Windows 11 26H1: KB5095051 (build 10.0.28000.2269)
- Windows 11 25H2 and 24H2: KB5094126
- Windows 11 23H2: KB5093998
- Windows Server 2025: KB5094125
- Windows Server 2022: KB5094128
The Live Zero-Day: RoguePlanet and "Nightmare Eclipse"
Within hours of Patch Tuesday dropping, the anonymous researcher known as "Nightmare Eclipse" (also called Chaotic Eclipse) published a proof-of-concept exploit for a new, unpatched zero-day called "RoguePlanet." The exploit abuses a race condition in Windows Defender to spawn a command shell with SYSTEM-level privileges. It was posted under a new GitHub account named "MSNightmare" and has been confirmed to work on Windows 10 and 11 systems with all June 2026 patches installed.
The race condition makes the exploit unreliable, but a successful run hands an attacker full SYSTEM access.
These uncoordinated disclosures appear to be retaliation after a breakdown between the researcher and Microsoft. Chaotic Eclipse has accused Microsoft of revoking their Security Response Center account, dismissing their bug reports, refusing compensation, and defaming them. Microsoft responded last month, stating that public vulnerability disclosures are "never justifiable" and put customers at "unnecessary risk."
The researcher has threatened a "bone shattering" new exploit release on June 14. Watch that date.
Other Critical Bugs You Cannot Ignore
CVE-2026-42897: Exchange Server cross-site scripting, actively exploited. This flaw in the Outlook Web Access component of Exchange Server 2016, 2019, and Subscription Edition has been under active exploitation since May 14, when CISA added it to the Known Exploited Vulnerabilities catalog the following day. A crafted email opened in OWA lets an attacker run arbitrary JavaScript inside the authenticated session, enabling session token theft and mailbox impersonation. June 9 is the first time a permanent patch has been available. If you run Exchange on-premises, this is your top priority after CVE-2026-45657.
CVE-2026-47291: HTTP.sys remote code execution, CVSS 9.8. A second 9.8-rated bug this month. Unauthenticated attackers can execute code remotely with no user interaction. Systems using the default MaxRequestBytes registry value are not affected, and Microsoft includes a PowerShell script in the bulletin to apply that mitigation quickly while you test and deploy the full patch.
CVE-2026-44815: DHCP Client remote code execution, CVSS 9.8. A stack-based buffer overflow in the Windows DHCP Client that requires no credentials or user action. Alex Vovk, CEO and co-founder of Action1, said the flaw "can turn network traffic into a full system compromise." DHCP runs on virtually every machine on your network, making this a broad-surface risk.
CVE-2026-41091: Microsoft Defender elevation of privilege, actively exploited. Multiple parties reported this bug in the wild, suggesting significant exploitation. Most systems will receive the fix automatically through Defender's self-update mechanism. If you have automatic updates disabled or operate in an isolated environment, push the update manually now.
The Secure Boot Deadline: 17 Days Away
Separate from any single CVE, organizations that have not completed the Windows UEFI CA 2023 certificate rotation face a hard cutoff that is now 17 days out. This is the last Patch Tuesday before that deadline. Boot-level security failures are the consequence of missing it. Check your UEFI patching status today.
Why So Many Vulnerabilities at Once?
Satnam Narang, senior staff research engineer at Tenable, pointed to a recent Microsoft blog noting that both its engineers and the security community are "increasingly using AI" to find bugs, and that larger patch volumes may become the norm as AI models grow more capable.
ZDI's Childs raised a fair concern: producing 571 CVEs in a single month is extraordinary and raises questions about how many were found by AI tools, how many patches were written with AI assistance, and what quality-control risks that introduces. Those are worth carrying into your patch testing process.
Your Action List for This Week
- Patch CVE-2026-45657 immediately. Apply the correct KB for your Windows version and reboot. A pending reboot leaves the old kernel loaded and your system unprotected.
- Patch Exchange Server for CVE-2026-42897 now. Active exploitation has been running for weeks and a permanent fix is finally available.
- Apply the HTTP.sys registry mitigation for CVE-2026-47291 if you cannot patch immediately, then deploy the full patch as soon as you can.
- Patch every Windows endpoint for CVE-2026-44815. DHCP is a core network function on nearly every machine you own.
- Confirm Microsoft Defender is auto-updating. Isolated or air-gapped systems need a manual push for CVE-2026-41091.
- Watch June 14. Nightmare Eclipse has promised another public exploit release that day. Keep your patch cycle ready to respond.
- Complete the Secure Boot certificate rotation on all devices before June 26.
How 247techify Can Help
Keeping up with a Patch Tuesday this large takes more than a monthly calendar reminder. At 247techify (https://www.247techify.com/), we help businesses build structured vulnerability management and patch deployment processes so that critical fixes like CVE-2026-45657 get applied fast, before attackers close the gap. If your team is stretched thin or you want a second set of eyes on your Windows and Exchange exposure right now, reach out to us at https://www.247techify.com/ and let's talk.
