Microsoft patched 206 vulnerabilities on June 9, 2026, the largest Patch Tuesday in history, including a CVSS 9.8 wormable kernel flaw and an unpatched Defender zero-day dropped the same day.
On June 9, 2026, Microsoft released fixes for 206 vulnerabilities, the largest single Patch Tuesday since the program launched in October 2003. Thirty-nine are rated Critical. The same day, a researcher published working exploit code for an unpatched Windows Defender flaw. Security teams have no easy week this month.
The volume alone is unusual. But one flaw inside this record drop changes the urgency calculus for every Windows environment on the planet.
The One Flaw That Could Spread Like WannaCry
CVE-2026-45657 is a use-after-free bug in the Windows kernel, rooted in how it handles TCP/IP. Its CVSS base score is 9.8. It is wormable.
What that means in plain terms: an attacker needs no credentials, the victim needs to click nothing, and the attacker triggers it by sending specially crafted TCP/IP packets across the network, arriving at SYSTEM-level privileges on the target machine. Researchers at the Zero Day Initiative have confirmed the flaw can self-propagate across networks, a profile identical to EternalBlue, the vulnerability that powered WannaCry.
That comparison deserves weight. In May 2017, WannaCry spread to more than 200,000 systems across 150 countries using EternalBlue, even though Microsoft had issued a patch two months earlier. Organizations that waited paid the price.
CVE-2026-45657 affects Windows 11 versions 23H2 through 26H1 on both x64 and ARM64, plus Windows Server 2022 and Server 2025, including Server Core installations. Microsoft's own label of "Exploitation Less Likely" should not slow anyone down. Threat actors are already reverse-engineering the patch. The gap between patch release and weaponized exploit shrinks every year.
The Rest of the Critical List
CVE-2026-45657 leads, but several other flaws in this release demand immediate attention.
CVE-2026-47291, HTTP.sys RCE (CVSS 9.8): Remote, unauthenticated code execution with no user interaction required. One important nuance: systems using the default MaxRequestBytes registry value are not affected. If your team has customized that value, you are exposed and need to patch now.
CVE-2026-44815, DHCP Client RCE (CVSS 9.8): A stack-based buffer overflow in the Windows DHCP Client. As Action1 CEO Alex Vovk put it: "This flaw needs no credentials or user action and can turn network traffic into a full system compromise." The DHCP client runs on virtually every Windows machine, making the attack surface enormous.
CVE-2026-41091, Microsoft Defender Elevation of Privilege: This is the one bug confirmed as actively exploited in the wild. Multiple parties are credited in the patch notes, which signals exploitation is widespread. Defender updates itself for most users, but isolated environments or non-default configurations need a manual update check now.
BitLocker bypasses: Three named BitLocker bypass vulnerabilities were patched: CVE-2026-45585 (YellowKey), CVE-2026-50507 (Bitskrieg), and CVE-2026-45658, plus multiple UEFI-level bypass CVEs. A successful bypass lets an attacker with physical or local access circumvent full-disk encryption, the control many organizations treat as a last line of defense for lost or stolen devices.
CVE-2026-42897, Exchange Server spoofing (CVSS 8.1): Microsoft confirmed active exploitation of this cross-site scripting flaw in Outlook Web Access. There is no patch yet. The Exchange Emergency Mitigation Service provides automatic mitigation and is on by default. Confirm it is enabled in your environment.
A Zero-Day Dropped the Same Day the Patches Landed
The same day Patch Tuesday published, a researcher known as "Nightmare Eclipse" released proof-of-concept code for "RoguePlanet," a new Windows Defender zero-day that abuses a race condition to spawn a command shell running at SYSTEM-level privileges. Microsoft has not yet issued a fix. Monitor Microsoft's security advisories closely for an out-of-band patch.
Why This Month Is Different
The combination is what sets June 2026 apart from a typical heavy patch month: a wormable kernel flaw with a 9.8 CVSS score, an actively exploited Defender privilege escalation bug, a brand-new unpatched Defender zero-day dropped hours after the patches landed, Exchange attacks happening in the wild right now, and BitLocker bypasses targeting encryption at rest. The wider threat landscape is not offering any breathing room.
Concrete Steps Your Team Should Take Right Now
Patch CVE-2026-45657 first, today. This wormable kernel flaw goes to the front of every queue. Do not wait for a maintenance window.
Check your HTTP.sys MaxRequestBytes setting. If the default value is in place, CVE-2026-47291 does not apply. Confirm it, document it. If it has been customized, patch immediately.
Verify Microsoft Defender is auto-updating. For most environments Defender handles this itself. If you are in an isolated or air-gapped setup, push the latest Defender definitions manually now.
Confirm the Exchange Emergency Mitigation Service is enabled. No patch exists yet for CVE-2026-42897. The automatic mitigation service is currently your only protection against active exploitation of the Exchange spoofing flaw.
Audit BitLocker-protected devices for UEFI integrity. The BitLocker bypass CVEs mean a physically stolen device could be unlocked. Verify that Secure Boot configurations and firmware are current on all laptops and portable devices.
Use network segmentation as a backstop. Where patching cannot happen immediately, segment networks and restrict RDP exposure to limit how far an attacker could move if a system is compromised before the patch lands.
Treat CVE-2026-45657 with EternalBlue-level urgency. If your organization runs monthly patch cycles, break that cycle this month. A wormable, unauthenticated, no-interaction-required CVSS 9.8 kernel flaw does not wait for the next maintenance window.
How 247techify Can Help
At 247techify, we help businesses navigate exactly this kind of high-pressure patch cycle: assessing exposure, prioritizing critical updates, and keeping Windows environments secured around the clock. If the scale of June's Patch Tuesday has you concerned about gaps in your defenses, reach out to us at https://www.247techify.com/ and let's work through what needs to happen first.
%22%2F%3E%0A%20%20%20%20%20%20%3Cstop%20offset%3D%22100%25%22%20stop-color%3D%22hsl(60%2070%25%2040%25)%22%2F%3E%0A%20%20%20%20%3C%2FlinearGradient%3E%0A%20%20%3C%2Fdefs%3E%0A%20%20%3Crect%20width%3D%221536%22%20height%3D%221024%22%20fill%3D%22url(%23g)%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22420%22%20cy%3D%22520%22%20r%3D%22320%22%20fill%3D%22white%22%20opacity%3D%220.08%22%2F%3E%0A%20%20%3Ccircle%20cx%3D%22880%22%20cy%3D%22580%22%20r%3D%22240%22%20fill%3D%22black%22%20opacity%3D%220.06%22%2F%3E%0A%3C%2Fsvg%3E)
