Microsoft's June 2026 Patch Tuesday fixed 206 vulnerabilities, the most ever in a single update, including a wormable CVSS 9.8 kernel flaw and two actively exploited zero-days.
On June 9, 2026, Microsoft released its largest Patch Tuesday in the program's 23-year history: 206 vulnerabilities fixed, 39 rated Critical, spanning the Windows kernel, Hyper-V, Remote Desktop Client, Kerberos, DHCP, BitLocker, HTTP.sys, Exchange Server, and Office. The headline number is alarming enough, but the real story is what sits inside it: a wormable kernel flaw researchers are comparing to EternalBlue, two vulnerabilities already being exploited before the patch shipped, and a Secure Boot certificate deadline that most IT teams have not yet noticed. This is not a routine update cycle. It is a patching emergency in monthly packaging.
The Wormable Flaw: CVE-2026-45657
The single most urgent fix is CVE-2026-45657, a Critical remote code execution vulnerability in the Windows kernel with a CVSS score of 9.8. Use-after-free and heap-based buffer overflow bugs allow an unauthenticated attacker to send specially crafted TCP/IP packets and take full control of any Windows machine that receives them, no credentials, no clicks, no user interaction required.
Researchers at the Zero Day Initiative confirmed the flaw can self-propagate across networks, a profile similar to EternalBlue, the vulnerability behind the WannaCry outbreak. Affected platforms include Windows 11 versions 23H2, 24H2, 25H2, and 26H1 on x64 and ARM64, plus Windows Server 2022 and Windows Server 2025, including Server Core. That breadth puts this across both client and server estates.
Microsoft currently rates exploitation as "Less Likely." Do not let that slow you down. Researchers worldwide are reversing this patch right now. The window between patch release and working exploit shrinks every year.
Two Vulnerabilities Already Being Exploited
CVE-2026-41091, Microsoft Defender Elevation of Privilege (CVSS 7.8): The Microsoft Malware Protection Engine improperly resolves links before accessing files, letting a local attacker elevate to SYSTEM privileges. Researchers at Huntress confirmed active exploitation before June 9, and observed related activity tied to BlueHammer (CVE-2026-33825), suggesting a coordinated campaign against Defender components. The fix shipped in Malware Protection Engine version 1.1.26040.8. Most users get this automatically, but any air-gapped, isolated, or update-disabled environment needs a manual check. Confirm the engine version reads 1.1.26040.8 or later.
CVE-2026-42897, Microsoft Exchange Server XSS (CVSS 8.1, Actively Exploited): A cross-site scripting flaw in the Outlook Web Access component of Exchange Server 2016, 2019, and Subscription Edition was confirmed under active exploitation on May 14, 2026. CISA added it to the Known Exploited Vulnerabilities catalog the following day. A permanent patch is now available for the first time. Apply it immediately. Every day without it is a confirmed open door into your email infrastructure.
Three More CVSS 9.8 Flaws You Cannot Skip
The volume of this release makes slow triage tempting. Resist it. Three additional vulnerabilities carry the same maximum-severity score.
CVE-2026-47291, Windows HTTP.sys RCE (CVSS 9.8): Integer overflow and heap buffer overflow flaws let an unauthenticated attacker send a crafted packet to any server using the HTTP Protocol Stack and execute code remotely. Pre-patch mitigation: ensure the MaxRequestBytes registry value is set to no higher than 65,534 bytes. Systems using the default value of 16,384 bytes are not impacted, but patch as soon as possible regardless.
CVE-2026-44815, Windows DHCP Client RCE (CVSS 9.8): A stack-based buffer overflow lets an attacker on the same network send a malicious DHCP response and trigger code execution on the client. Because the DHCP client runs on virtually every Windows endpoint, exposure is organisation-wide. Internal threat actors and already-compromised devices inside your perimeter are the primary risk.
Privilege escalation at scale: This update contains roughly 65 Elevation of Privilege vulnerabilities. Attackers routinely chain EoP flaws with initial-access exploits to move from a foothold to full system control fast. Patching these closes that fast path.
The Secure Boot Deadline Hidden in This Update
This release arrived with only 17 days until the absolute Secure Boot certificate expiration deadline on June 26, 2026. Missing that date does not immediately break machines, but devices will lose future early-boot protection updates, creating a gap attackers will eventually target. Verify Secure Boot certificate rotation on all devices before June 26.
Why So Many Vulnerabilities at Once?
AI-assisted vulnerability discovery tools, including Microsoft's own multi-model scanning system and third-party platforms, are finding software flaws at a rate that far exceeds historical human-researcher throughput. The flood of CVEs is not a sign that Windows is suddenly less secure. It is a sign that automated discovery now operates at machine speed. That is good for transparency, but it also means the patch backlog businesses face is growing faster than most IT teams can handle manually.
What Your Business Must Do Right Now
Prioritise in this order, starting today:
- Patch CVE-2026-45657 across all supported Windows 11 and Windows Server systems. Use KB5095051 for Windows 11 26H1, KB5094126 for 24H2 and 25H2, KB5093998 for 23H2, and KB5094125 for Windows Server 2025.
- Patch CVE-2026-42897 on Exchange Server 2016, 2019, and Subscription Edition immediately. Active exploitation has been confirmed for weeks.
- Verify CVE-2026-41091 has applied in every environment. Check isolated and update-disabled deployments manually. Confirm engine version 1.1.26040.8 or later.
- Apply the HTTP.sys registry mitigation for CVE-2026-47291 on any web-facing server if patching is delayed, then patch as soon as possible.
- Confirm Secure Boot certificate rotation before June 26, 2026.
- Patch CVE-2026-44815 across the full endpoint fleet.
How 247techify Can Help
At 247techify, we help businesses manage exactly this kind of high-volume, high-urgency patching cycle, from prioritisation and testing to deployment across distributed Windows environments. If your team is stretched thin or unsure where to start with 206 vulnerabilities, reach out at https://www.247techify.com/ and we will help you build a plan that protects what matters most.
%22%2F%3E%0A%20%20%20%20%20%20%3Cstop%20offset%3D%22100%25%22%20stop-color%3D%22hsl(60%2070%25%2040%25)%22%2F%3E%0A%20%20%20%20%3C%2FlinearGradient%3E%0A%20%20%3C%2Fdefs%3E%0A%20%20%3Crect%20width%3D%221536%22%20height%3D%221024%22%20fill%3D%22url(%23g)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22420%22%20cy%3D%22520%22%20r%3D%22320%22%20fill%3D%22white%22%20opacity%3D%220.08%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22880%22%20cy%3D%22580%22%20r%3D%22240%22%20fill%3D%22black%22%20opacity%3D%220.06%22%2F%3E%0A%3C%2Fsvg%3E)
