What is CVE-2026-45657?

CVE-2026-45657 is a Windows Kernel remote code execution vulnerability disclosed in the June 2026 Patch Tuesday. It is a use-after-free flaw in how the kernel handles TCP/IP traffic, carries a CVSS 9.8 rating, and allows a remote, unauthenticated attacker to execute code at SYSTEM level without user interaction. Researchers describe the bug as wormable because it requires only network reachability to the target.

Is CVE-2026-45657 being actively exploited?

As of the June 2026 release, Microsoft rates exploitation as Less Likely and no public proof-of-concept exploit has been confirmed. That rating is not a free pass. The combination of a wormable, pre-authentication TCP/IP code-execution bug is exactly the class researchers race to weaponize after patch release, so the practical exposure window is short. Treat it as patch-now, not patch-this-month.

Which Windows systems are affected by CVE-2026-45657?

The vulnerability sits in the Windows kernel TCP/IP networking stack, so it affects supported Windows client and Windows Server versions covered by the June 2026 Patch Tuesday updates. Confirm specific affected builds against your inventory using the Microsoft Security Update Guide entry for CVE-2026-45657 before scoping the rollout. Internet-exposed Windows hosts are the highest-priority population to patch.

What mitigations exist if we cannot patch immediately?

There is no Microsoft-supplied workaround that fully replaces the patch. The defensible interim posture is reducing attack surface: confirm no Windows host exposes inbound TCP/IP services directly to the internet, enforce firewall rules that restrict SMB, RDP, and other Windows networking ports to known sources, and monitor for unusual inbound scanning. Patch within days, not weeks.

How does this fit alongside the other June 2026 Patch Tuesday fixes?

June 2026 was Microsoft’s largest Patch Tuesday on record at roughly 204 to 208 CVEs, including 33 critical. CVE-2026-45657 sits at the top of the priority list because of its wormable pre-auth profile, but the same release also addresses publicly disclosed issues in Microsoft Defender, BitLocker, and HTTP.sys. Roll the cumulative update; do not cherry-pick a single fix.

What should Hawaii businesses do this week?

Three actions in order: inventory every Windows host that could be reached from outside your edge firewall, apply the June 2026 cumulative update to those internet-exposed hosts first, then complete the rollout to the rest of the fleet on your normal patch ring. If your patch SLA is longer than seven days for internet-facing systems, this week is the time to shorten it.

Cybersecurity · Vulnerability advisory

CVE-2026-45657 Windows Kernel TCP/IP RCE: what Hawaii businesses should do now

CVE-2026-45657 is a Windows Kernel remote code execution vulnerability rated CVSS 9.8, shipped in the June 2026 Patch Tuesday. A remote, unauthenticated attacker can run code at SYSTEM by sending crafted TCP/IP traffic — no user click required — and researchers describe the bug as wormable. Microsoft rates exploitation Less Likely, but the profile of the flaw is the kind exploit developers chase the moment a patch ships.

The short answer. CVE-2026-45657 is a pre-authentication, wormable Windows Kernel RCE at CVSS 9.8, patched on June 10, 2026 Patch Tuesday. It lives in the TCP/IP stack, so any reachable Windows host is in scope. Patch your internet-exposed Windows hosts first, then the rest of the fleet within your normal ring. Don’t wait for a public exploit — the gap between disclosure and weaponized code on bugs like this is usually measured in days.

Published June 11, 2026 · HI Tech Hui · ~7 min read

Why this bug deserves the top of your patch queue

Most months, Patch Tuesday is a triage exercise. June 2026 is different. Microsoft shipped a record-breaking release — 204 vulnerabilities by SANS’ count, 208 by Zero Day Initiative’s — and at the top of the stack sits CVE-2026-45657, a use-after-free in the Windows Kernel’s handling of TCP/IP. The Zero Day Initiative’s monthly review is blunt about it: “This CVSS 9.8 bug allows remote, unauthenticated attackers to execute code at SYSTEM level without user interaction. Yup – this is wormable” (Zero Day Initiative, June 2026).

That word — wormable — is what changes the calculus. Most RCE bugs need a user to click a link, open a file, or be socially engineered. A wormable network bug just needs to reach the target. One infected host inside your network can spread to every other reachable Windows host before anyone notices, the way WannaCry and NotPetya did in 2017. Microsoft has marked the bug “Exploitation Less Likely,” but ZDI’s read is the right one for defenders: “rest assured that every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit” (Zero Day Initiative).

What is actually broken

CVE-2026-45657 is a use-after-free vulnerability in the Windows kernel’s TCP/IP implementation. In plain English: the kernel frees a memory object while a code path still holds a reference to it, and a carefully crafted network packet can manipulate that condition to execute attacker-supplied code with SYSTEM privileges. Because the vulnerable code lives in the networking stack, no logged-in user is required. No phishing, no malicious document, no compromised credential — just an attacker who can deliver a packet to a vulnerable host.

The same June 2026 release patches a closely related public-disclosure issue, CVE-2026-49160, an HTTP.sys denial-of-service triggered by an HTTP/2 HPACK compression bomb (SANS Internet Storm Center). Different bug, same lesson: anything you expose to the internet on a Windows host needs the June cumulative update applied promptly.

Who is in scope

The vulnerable code is in the Windows kernel, so the affected population is broad — supported Windows client and Windows Server versions covered by the June 2026 cumulative updates. Rather than working from a generic list, validate scope against your own inventory using Microsoft’s Security Update Guide entry for CVE-2026-45657, which lists every affected build and the specific update that closes it.

Three populations need explicit attention first:

Internet-exposed Windows hosts. Any Windows server reachable from the public internet — remote access gateways, Windows web servers, file transfer endpoints, VPN concentrators running on Windows — is the highest-priority bucket.
Edge VMs in cloud environments. Lift-and-shift Windows workloads in Azure, AWS, or other clouds that sit behind only a Network Security Group are functionally internet-facing. Check NSG rules; do not assume a cloud network is private.
Flat internal networks. If your internal network has no segmentation, one compromised laptop on guest Wi-Fi or VPN becomes a launch pad to every internal Windows host. That is the wormable scenario.

The patch and verification plan for Hawaii teams

Inventory now, scope first. Pull a list of every Windows host in your environment, tag those reachable from the internet, and confirm the current OS build and last-installed cumulative update on each. If you cannot answer that question this morning, the gap to close is monitoring, not patching.
Patch the perimeter today. Apply the June 2026 cumulative update to internet-exposed Windows hosts as the first wave. Reboot is required for kernel patches.
Patch the interior on your normal ring — compressed. Use your standard test ring for endpoints and internal servers, but compress the timeline. A 30-day patch SLA is too slow for a wormable pre-auth bug; aim for seven days end-to-end this month.
Verify, don’t assume. Confirm the post-update OS build on every host matches the version Microsoft lists as fixed for CVE-2026-45657. This is the same verification discipline we use for our monthly patch compliance verification — deployed is not the same as installed.
Monitor for scanning. Once an exploit drops, opportunistic scanning for vulnerable Windows hosts picks up sharply. Make sure your SOC or monitoring stack is watching for anomalous inbound TCP/IP traffic patterns and unexpected new processes on Windows hosts.

Interim mitigations if you cannot patch immediately

There is no full Microsoft-supplied workaround for CVE-2026-45657. The patch is the fix. If a specific host cannot be patched today — pending change window, vendor-locked appliance, regulated medical or industrial system — reduce its reachability:

Take it off the internet. If an exposed Windows host does not need to be reachable from any IP on earth, put it behind a VPN or an allow-list immediately. This is the single highest-value control.
Tighten firewall rules. Restrict inbound TCP/IP services on Windows hosts to the smallest set of source IPs that need access. SMB and RDP in particular should never face the internet.
Segment internally. If a flat internal network is what makes the worm scenario plausible, even a basic VLAN separation between user endpoints and servers reduces blast radius.

How we’re running this with our managed clients

The pattern here is the one we use for any wormable, pre-auth network bug: triage by exposure, not by CVSS alone. CVSS 9.8 means “bad,” but the question that actually drives the patch order is “who can reach the vulnerable host?” That mirrors the framework in our patch triage signals post — exposure, exploitability, and asset criticality, not CVSS in isolation. It also fits the seven-day SLA we recommend for KEV-listed flaws in CISA KEV patching for SMBs; CVE-2026-45657 is not on the KEV catalog as of this writing, but the threat profile is identical and the same SLA is the right default.

For Hawaii businesses with a recent Palo Alto exposure still fresh in mind, the comparison is useful. We wrote about the GlobalProtect auth bypass CVE-2026-0257 earlier this month for the same reason: a pre-auth network bug on an exposed device is a now-problem, not a next-week problem. Same posture this week, different vendor.

FAQ for executives

What is the business risk if we don’t patch this within a week?

The realistic worst case is a wormable exploit landing in the next 7–14 days that lets an attacker run SYSTEM-level code on every reachable Windows host. That is ransomware-deployment-grade access. The best case is the bug never gets weaponized. The cost of patching is one weekend of reboots; the cost of guessing wrong is incident response and downtime. The asymmetry argues for patching.

Will Windows Update handle this on its own?

For domain-joined endpoints on a working WSUS or Intune ring, mostly yes — if the rings are configured to deploy critical updates within days. For servers, manual approval is usually required. The systems that quietly miss the patch are the ones nobody owns: one-off VMs, vendor appliances running Windows, and forgotten internet-exposed boxes. Those are the ones that get popped.

Sources

Need a second set of eyes on your Windows fleet’s exposure to CVE-2026-45657? HI Tech Hui provides managed IT and cybersecurity services — including vulnerability triage, patch deployment, and 24/7 monitoring through our SOC. Contact us for a June 2026 patch readiness review.

Ready when you are

Let’s scope your IT & security plan.

Talk with a Honolulu-based engineer about managed IT, cybersecurity, or a 24/7 SOC handoff. We’ll review your current environment, identify the highest-impact gaps, and outline a clear next step — with no obligation.

Schedule an assessment Call (808) 206-8549