June 12, 2026critical vulnerability

How a flaw in Windows' core networking code could let attackers spread automatically across the internet

A vulnerability disclosed on June 9, 2026 does not require a phishing email, a malicious attachment, or a user who clicks the wrong thing. An attacker anywhere on the internet can send a stream of specially crafted network packets to a vulnerable Windows machine and take complete control of it. No login required. No warning to the user. No interaction of any kind.

That property, network-reachable with no preconditions, is what makes CVE-2026-45657 wormable. A successful exploit can be designed to automatically find and attack the next vulnerable machine, then the next, replicating across networks without any human involvement. This is the same propagation model that powered WannaCry in 2017, which spread to more than 200,000 systems across 150 countries in a matter of days. The patch for that attack had been available for two months before the worm launched.

The patch for CVE-2026-45657 shipped on June 9, 2026. As of June 12, multiple security researchers have stated publicly that threat actors are already reverse-engineering the patch binary to build a working exploit. Trend Micro Zero Day Initiative researcher Dustin Childs put it plainly: "every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit." The window between patch release and weaponized exploit is now measured in days, not weeks.

🟡 Level 2

Read the narrative

How the attack unfolded, phase by phase.

6 min read

🔴 Level 3

Go deeper

Technical mechanism, CVE, ATT&CK mapping, primary sources.

3 min read

Does this apply to you?

If your organization runs any version of Windows 11 or Windows Server 2022 or 2025 and has not deployed the June 2026 Patch Tuesday updates, you may have been exposed to a wormable, unauthenticated remote code execution vulnerability. If those systems are reachable from the internet or connected to a flat internal network, your blast radius may extend to every other networked device those machines can reach, including file servers, domain controllers, and operational systems. This pattern applies beyond Windows: any system where the core networking stack processes untrusted external traffic before authentication is a candidate for this class of attack. Check whether automatic updates are enabled on all Windows endpoints and servers in your environment. If any system is running without the June 9, 2026 patches (KB5095051, KB5094126, KB5093998, or KB5094125), it should be treated as an unguarded entry point on your network.

Narrative · 6 min read

The Context

Every Windows computer that connects to a network runs a kernel-mode driver called tcpip.sys. It is the lowest-level software component responsible for receiving and processing incoming network traffic. It runs with the highest possible system privileges, meaning a flaw here is not a problem in one application. It is a problem in the foundation every application sits on.

CVE-2026-45657 is a flaw in that foundation. Microsoft disclosed it on June 9, 2026, as part of the June Patch Tuesday release. The flaw carries a CVSS base score of 9.8 out of 10, the near-maximum rating reserved for vulnerabilities that are network-reachable, require no authentication, and produce the worst possible outcome on success.

Key terms

Use-after-free: A memory error where software continues to use a region of memory after that memory has been released back to the system. An attacker can manipulate what gets placed in that freed memory, turning the error into a way to run their own code.
Kernel: The core of an operating system that runs with full control over the hardware. Code running at the kernel level can do anything: install software, read any file, disable security tools, create accounts.
Wormable: A vulnerability that can be exploited automatically, without any human action on the victim's side, and whose exploit can be designed to self-propagate to additional vulnerable machines.
CVSS score: Common Vulnerability Scoring System. A standardized 0-10 rating of vulnerability severity. A score of 9.8 is near-maximum and signals the most urgent patch priority.
Patch diffing: The technique of comparing a patched software binary against the unpatched version to identify exactly what code changed. Attackers use this to reverse-engineer the vulnerability and build an exploit, often within days of a patch release.

The Attack, Phase by Phase

Phase 1: The Vulnerability Mechanics

The flaw lives in how tcpip.sys manages memory when processing incoming network packets. When the kernel receives certain specially crafted TCP/IP packets, it can be induced to access a region of memory that has already been freed and returned to the system allocator. This is called a use-after-free condition.

An attacker can influence what data occupies that freed memory region before the kernel reads it. By controlling what the kernel reads, the attacker can redirect execution to code of their choosing. Because tcpip.sys runs at the kernel level, that code executes with SYSTEM privileges. The attacker gains complete control: they can install software, read or destroy any file, create accounts, and disable security tools.

The flaw is also classified as a heap-based buffer overflow. CrowdStrike confirmed that attack complexity is rated "low," meaning no special timing, race conditions, or unusual configurations are required to trigger it reliably.

Phase 2: The Wormable Threat Model

"Wormable" describes propagation mechanics. Because CVE-2026-45657 requires no authentication and no user interaction, and because the attack vector is the network itself, a successful exploit payload can automatically scan for additional vulnerable Windows machines and attack them in turn.

The historical reference point is EternalBlue (CVE-2017-0144), a wormable flaw in Windows' SMB protocol. When weaponized in the WannaCry outbreak in May 2017, it spread to more than 200,000 systems across 150 countries within days. A patch had been available for two months. The gap between patch available and patch deployed was the attack surface.

Dustin Childs of the Trend Micro Zero Day Initiative confirmed the wormable classification on June 9. The specific network configurations under which wormability is achievable were not fully detailed in Microsoft's advisory, and whether the exploit path runs over IPv4, IPv6, or both has not been confirmed. Security researchers are advising organizations to treat all networked Windows systems as broadly at risk.

Phase 3: The Patch Race

As of June 12, 2026, Microsoft has not confirmed active exploitation in the wild. The advisory carries an "Exploitation Less Likely" designation, reflecting the absence of a confirmed public exploit at disclosure—not the absence of adversary interest.

The moment Microsoft ships a patch, the binary diff becomes a public roadmap. Researchers and threat actors compare the patched and unpatched versions of tcpip.sys to reconstruct the vulnerability. This process, called patch diffing, is fast. The window from disclosed patch to deployable exploit is measured in days, not weeks.

Patches are available now for all affected platforms: KB5095051 for Windows 11 26H1, KB5094126 for Windows 11 25H2 and 24H2, KB5093998 for Windows 11 23H2, and KB5094125 for Windows Server 2025. Windows Server 2022 is also affected. No registry-based workaround exists. The patch is the only mitigation.

What Made This Possible

The attack surface is universal by design. Every networked Windows machine runs tcpip.sys and processes incoming packets before any authentication occurs. The vulnerability exists at the layer that precedes all other security controls.
Kernel-level memory management has no safety net. Application-layer software runs in a sandboxed environment where memory errors are contained. Kernel code does not. A use-after-free in tcpip.sys gives an attacker direct access to the operating system's core with no boundary between the flaw and full system control.
Patch disclosure arms both sides simultaneously. The same transparency that allows defenders to understand what changed gives attackers a precise map of the vulnerability. The "Exploitation Less Likely" label does not account for how quickly that status changes once patch diffing begins.

What Should Have Stopped This

No single control prevents exploitation of a kernel-level flaw in the networking stack, but a layered architecture limits how far an attacker can travel after the first machine falls.

Network segmentation: Flat networks, where every device can communicate with every other, are the environment where wormable exploits cause the most damage. Segmentation means a compromised machine cannot become a launch point.
Perimeter filtering of anomalous traffic: Cisco Talos published Snort detection rules on June 9 to identify exploitation attempts. Organizations with network monitoring tools can deploy these rules to detect attack patterns before a machine is fully compromised.
Prioritizing patches by vulnerability shape, not exploitation status: The "Exploitation Less Likely" label is a snapshot of a single moment. For a wormable, unauthenticated, kernel-level flaw, the correct triage decision is immediate deployment. By the time exploitation is confirmed, the worm is already spreading.

The Takeaway

The WannaCry outbreak of 2017 was not caused by a zero-day. It was caused by a two-month gap between patch availability and patch deployment. CVE-2026-45657 presents the same structural conditions: a wormable flaw, a patch now available, and a window of exposure that shrinks by the day as threat actors reverse-engineer the binary.

The meta-pattern is consistent with prior incidents: the most dangerous attacks target the infrastructure that security controls depend on, not the controls themselves. Here, it is the networking stack—a layer so fundamental it cannot be disabled or replaced.

Patch urgency must be driven by vulnerability shape, not confirmed exploitation status. A wormable, unauthenticated, kernel-level flaw with a CVSS score of 9.8 is a fire drill regardless of what the exploitation label says on day one.

Pattern to remember: When a vulnerability is wormable and unauthenticated, the gap between patch release and patch deployment is the attack surface, and that gap closes in days once reverse-engineering begins.

What changed: For kernel-level networking flaws, the "Exploitation Less Likely" label at disclosure now functions as a starting gun for patch diffing, not a signal of low risk, because binary comparison compresses the path from disclosed patch to deployable worm faster than most organizations complete a patch cycle.

Technical Deep Dive · 3 min

The Technical Mechanism

CVE-2026-45657 is a use-after-free (CWE-416) and heap-based buffer overflow (CWE-122) in tcpip.sys, the Windows kernel-mode driver responsible for TCP/IP stack processing. The flaw is triggered during the kernel's handling of specially crafted inbound network packets.

The use-after-free condition arises when the kernel's TCP/IP processing path frees a memory object and subsequently dereferences a stale pointer to that object. Because the freed memory region can be reclaimed and populated with attacker-controlled data before the dereference occurs, the attacker can redirect kernel execution to arbitrary shellcode. The heap-based buffer overflow component indicates that the memory corruption can extend beyond the freed object into adjacent heap regions, providing additional exploitation primitives for bypassing kernel mitigations such as Kernel Address Space Layout Randomization (KASLR).

The CVSS 3.1 vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8. The temporal vector reflects E:U (unproven exploit) at time of disclosure, producing a temporal score of 8.5. Attack complexity is rated Low, meaning no race conditions, heap grooming prerequisites, or target-specific configurations are required to trigger the vulnerability reliably. Successful exploitation yields SYSTEM-level code execution, the highest privilege tier on Windows, equivalent to NT AUTHORITY\SYSTEM.

The wormable classification follows from the combination of network attack vector, zero authentication requirement, zero user interaction requirement, and the self-contained nature of the exploit payload. An exploit can be designed to enumerate reachable hosts and transmit itself autonomously, replicating the EternalBlue propagation model. The specific protocol path (IPv4, IPv6, or both) has not been confirmed in the advisory. Microsoft has not published a registry-based workaround; patching is the only remediation.

CVE and Advisories

CVE-2026-45657: Windows Kernel Remote Code Execution Vulnerability. CVSS 3.1 base score 9.8, temporal score 8.5.
Microsoft Security Response Center Advisory: Official patch guidance, affected platform list, and KB numbers.
Cisco Talos Snort Rules and Analysis: Network detection rules for exploitation attempts.

MITRE ATT&CK Mapping

Technique ID	ATT&CK name	How it appeared
T1190	Exploit Public-Facing Application	The vulnerability is exploited via inbound network traffic targeting the Windows TCP/IP stack, which is exposed on any networked system.
T1068	Exploitation for Privilege Escalation	The use-after-free condition in tcpip.sys yields SYSTEM-level code execution directly, bypassing any lower-privilege initial access stage.
T1210	Exploitation of Remote Services	The wormable propagation model relies on exploiting the same vulnerability on additional reachable hosts without human involvement.
T1562	Impair Defenses	SYSTEM-level access enables an attacker to disable endpoint detection tools, modify audit policies, and remove security software.

Indicators of Compromise

No confirmed exploitation has occurred as of June 12, 2026, so no post-exploitation IOCs (file hashes, command-and-control infrastructure, or registry artifacts) are available from incident response cases.

Network-layer detection is possible. Cisco Talos published Snort rules on June 9, 2026 to identify malformed TCP/IP packets consistent with exploitation attempts. Organizations running network intrusion detection systems should deploy these rules immediately.

Network Indicators

Anomalous inbound TCP/IP traffic with malformed packet structures targeting Windows hosts
Unexpected outbound scanning activity from Windows servers (indicative of worm propagation from a compromised host)
Snort rules: available via the Cisco Talos June 2026 Patch Tuesday analysis

Patch Verification

Confirm the following KB updates are installed on all affected systems:

KB5095051: Windows 11 26H1
KB5094126: Windows 11 25H2 and 24H2
KB5093998: Windows 11 23H2
KB5094125: Windows Server 2025
Windows Server 2022: consult the MSRC advisory for the applicable KB

CISA had not added CVE-2026-45657 to the Known Exploited Vulnerabilities (KEV) catalog as of June 14, 2026. Absence from the KEV catalog should not be interpreted as reduced urgency for a wormable, unauthenticated kernel flaw.

Attribution

No attribution. The Microsoft Security Response Center credits Microsoft as the discovering organization. No external researcher, bug bounty submission, or coordinated disclosure from a third party has been publicly acknowledged. No threat intelligence firm has linked the vulnerability's discovery or any exploitation activity to a specific threat actor or nation-state group as of June 14, 2026.

Primary Sources

01.
CVE-2026-45657 - Security Update Guide - Microsoft - Windows Kernel Remote Code Execution Vulnerability
Microsoft Security Response Center (MSRC) · June 9, 2026
02.
The June 2026 Security Update Review
Trend Micro Zero Day Initiative (ZDI) · June 9, 2026
03.
June 2026 Patch Tuesday: Updates and Analysis
CrowdStrike · June 10, 2026
04.
Microsoft Patch Tuesday for June 2026: Snort Rules and Prominent Vulnerabilities
Cisco Talos Intelligence · June 9, 2026
05.
Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
The Hacker News · June 12, 2026
06.
CVE-2026-45657: Critical Windows Kernel RCE Patch Guide (June 2026)
Windows Forum · June 9, 2026