Executive Summary
CVE-2026-45657 is a CVSS 9.8 Critical use-after-free vulnerability in the Windows Kernel TCP/IP stack, disclosed as part of Microsoft's June 2026 Patch Tuesday on June 9, 2026. An unauthenticated remote attacker can send specially crafted network packets to a vulnerable Windows system and achieve SYSTEM-level code execution with no user interaction — a combination that makes this vulnerability wormable. Patches are available for all affected versions; every organization running unpatched Windows 11 or Windows Server 2022/2025 should treat this as an emergency remediation item.
1. What Is This Vulnerability?
CVE-2026-45657 is a use-after-free (UAF) flaw in the Windows Kernel's handling of TCP/IP network traffic. Specifically, the kernel incorrectly manages the lifecycle of a memory object within the TCP/IP processing path. After the object is freed, a reference to it remains accessible, and a remote attacker can trigger the re-use of that freed memory region with attacker-controlled data — a classic UAF exploitation path.
CWE Classifications:
- CWE-416: Use After Free
- CWE-122: Heap-based Buffer Overflow
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Breaking that down: the attack vector is the network (no local access needed), complexity is low, privileges required are none, user interaction is none, and the impact on confidentiality, integrity, and availability is high across all three dimensions.
Attack Vector
The attacker sends a series of specially crafted TCP/IP packets to a target system over the network. No authentication, no open port beyond what the OS exposes to the network by default, and no victim action is required. When the malformed packets reach the vulnerable kernel code path:
- The kernel processes the packet and allocates a memory object.
- A code path frees the object prematurely, but a dangling pointer to it remains.
- A subsequent packet causes the kernel to reference the freed memory.
- The attacker uses heap grooming techniques to place attacker-controlled data in the freed region before the reference occurs.
- Kernel-mode code executes with the attacker's payload, granting full SYSTEM privileges.
Because the entire exploit chain flows over the network via standard TCP/IP, a successful exploit can be wrapped into a self-propagating worm — one compromised system scanning for and exploiting other unpatched hosts on the same network or the internet.
Real-World Impact
As of this writing, Microsoft rates active exploitation as "Exploitation More Likely" — a step below confirmed exploitation, but security researchers and threat intelligence firms have noted that patch-reversal efforts are actively underway across multiple research teams. The window between June 9 patch release and a reliable public exploit is estimated in days, not weeks. No confirmed in-the-wild exploitation has been reported, but the wormable nature means that once exploitation tooling is available, propagation could be rapid and widespread, resembling past worm events like EternalBlue/WannaCry and BlueKeep.
2. Who Is Affected?
| Product | Affected Versions | Fixed Build | KB Article |
|---|---|---|---|
| Windows 11 26H1 | All builds prior to 10.0.28000.2269 | 10.0.28000.2269 | KB5095051 |
| Windows 11 25H2 | All builds prior to 10.0.26200.8655 | 10.0.26200.8655 | KB5094126 |
| Windows 11 24H2 | All builds prior to 10.0.26100.8655 | 10.0.26100.8655 | KB5094126 |
| Windows 11 23H2 | All builds prior to 10.0.22631.7219 | 10.0.22631.7219 | KB5093998 |
| Windows Server 2025 | All builds prior to 10.0.26100.32995 | 10.0.26100.32995 | KB5094125 |
| Windows Server 2022 | All builds prior to 10.0.20348.5256 | 10.0.20348.5256 | KB5094128 |
Windows 10 and Windows Server 2016/2019 received the June 2026 cumulative updates as well — check the Microsoft Security Response Center (MSRC) for specific KB numbers for those versions.
Highest-risk targets:
- Any Windows system directly reachable from the internet (internet-facing servers, edge systems)
- Windows Server systems running IIS, WinRM, or other network services
- Workstations on flat internal networks where lateral movement is feasible
- OT/SCAP environments running Windows in ICS network segments
3. How to Detect It (Testing)
Manual Testing Steps
-
Identify the OS version and current patch level on each target system:
winveror via PowerShell:
Get-ComputerInfo | Select-Object OsName, OsBuildNumber, OsVersion -
Compare build numbers against the fixed builds listed in the table above. If the build number is lower than the fixed build for the installed Windows version, the system is vulnerable.
-
Check installed KB articles to confirm the June 2026 Patch Tuesday update was applied:
Get-HotFix | Where-Object { $_.HotFixID -in @('KB5095051','KB5094126','KB5093998','KB5094125','KB5094128') }An empty result means the patch is not installed.
-
Check update history via Windows Update:
- Open Settings → Windows Update → Update History
- Confirm the June 2026 Cumulative Update is present and shows "Successfully installed"
Automated Scanning
Using Nessus / Tenable:
- Plugin family: Windows → Local Security Checks
- Search for "CVE-2026-45657" in the plugin library
- Run a credentialed scan; the plugin checks installed KB against the fixed-build list
- Expected output on a vulnerable host: CVSS 9.8 finding with remediation KB listed
Using Qualys:
- QID for the June 2026 Patch Tuesday Kernel RCE will be listed under Windows OS patches
- Filter active scans by QID or CVE ID "CVE-2026-45657"
Using Microsoft Defender Vulnerability Management (formerly Defender TVM):
- Navigate to: Security Center → Vulnerability Management → Weaknesses
- Search "CVE-2026-45657"
- Affected devices will be listed with exposure and remediation recommendations
Using PowerShell for fleet-wide detection:
# Run remotely across a list of targets
$targets = Get-Content "C:\targets.txt"
foreach ($target in $targets) {
$os = Invoke-Command -ComputerName $target -ScriptBlock {
Get-ComputerInfo | Select-Object OsBuildNumber
Get-HotFix | Where-Object { $_.HotFixID -like "KB509*" }
}
Write-Output "$target : Build $($os.OsBuildNumber) | KB: $($os.HotFixID)"
}
Code Review / Configuration Checklist
- Confirm Windows Update is not disabled via Group Policy (
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate) - Verify WSUS / SCCM / Intune deployment jobs are not paused
- Check that deferred update rings do not delay security patches beyond 7 days for Critical CVEs
- Ensure network-level monitoring is enabled to detect unusual outbound TCP connections (indicator of post-exploitation)
4. How to Fix It (Mitigation)
Step-by-Step Remediation
Step 1: Apply the June 2026 Patch Tuesday Cumulative Update
This is the only complete fix. All five critical networking CVEs from June 2026 Patch Tuesday — including CVE-2026-45657 — are resolved in the cumulative update for each affected Windows version.
Via Windows Update (end-user/workstation):
- Settings → Windows Update → Check for Updates → Install all available updates
- Reboot when prompted
Via Windows Update for Business / Intune (enterprise):
- Ensure the June 2026 quality update ring is not paused
- Force-push deployment via Intune: Devices → Software Updates → Windows 10/11 → Create Profile
- Target all device groups and set deadline to immediate
Via WSUS:
# Approve June 2026 Cumulative Update in WSUS console
# Filter by: Classification = Security Updates, Release Date ≥ 2026-06-09
# Approve for All Computers group with deadline: immediate
Via SCCM/ConfigMgr:
- Software Library → Software Updates → All Software Updates
- Filter: CVE-2026-45657 or KB5094126/KB5095051/KB5093998/KB5094125/KB5094128
- Deploy to All Windows Systems collection, deadline: ASAP
Step 2: Prioritize Internet-Facing Systems
Deploy the patch to public-facing servers first — these are the highest-risk targets for remote exploitation. Then propagate to internal infrastructure and workstations.
Step 3: Reboot to Activate
The kernel-level patch requires a full system reboot to take effect. Schedule reboots within the maintenance window, but minimize delay given the wormable classification.
Step 4: Verify Deployment
After patching and rebooting, confirm the fixed build number is in place (see Detection section above). Do not rely solely on update deployment status — check the actual build number post-reboot.
Temporary Workarounds (If Immediate Patching Is Not Possible)
Microsoft has not provided an official workaround for CVE-2026-45657. However, as a risk reduction measure (not a replacement for patching):
- Restrict inbound TCP access via Windows Firewall or network ACLs to only trusted sources on internet-facing systems
- Enable network segmentation: place vulnerable systems behind a perimeter firewall that blocks unsolicited inbound connections
- Deploy Intrusion Detection/Prevention signatures: Cisco Talos has published Snort rules for June 2026 Patch Tuesday vulnerabilities that can flag anomalous TCP/IP traffic patterns associated with this exploit class
Configuration Hardening
# Ensure Windows Firewall is enabled and blocking unsolicited inbound traffic
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Set-NetFirewallProfile -Profile Public -DefaultInboundAction Block
# Restrict RPC/WinRM exposure if not needed externally
Disable-PSRemoting -Force # if WinRM not required
# Enable Kernel Data Protection (KDP) if on supported hardware
# (helps limit the exploitability of kernel UAF vulnerabilities)
# KDP requires Windows 11 + HVCI-capable hardware - check via:
Get-CimInstance -ClassName Win32_DeviceGuard | Select-Object VirtualizationBasedSecurityStatus
5. How to Test the Fix (Validation)
Regression Test Scenarios
- Scenario A — Patch presence confirmed: After applying the update and rebooting, run the PowerShell KB check and confirm the applicable KB article appears in
Get-HotFixoutput. - Scenario B — Build number at or above fixed threshold: Run
Get-ComputerInfo | Select-Object OsBuildNumberand confirm the build number meets or exceeds the fixed build for the installed OS version. - Scenario C — Normal network functionality preserved: Confirm that standard TCP/IP communications (web browsing, SMB file shares, RDP, WinRM if used) continue to function normally post-patch. No legitimate traffic should be disrupted by this fix.
Security Test Cases
Test Case 1: Verify the patch is installed and effective
- Precondition: Patch applied, system rebooted
- Steps: Run
Get-HotFix -Id KB5094126(or applicable KB for your OS version) - Expected Result: KB is returned with a
InstalledOndate on or after June 9, 2026
Test Case 2: Confirm build number matches fixed release
- Precondition: Patch applied, system rebooted
- Steps:
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").CurrentBuildNumber (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").UBR - Expected Result: Build and UBR match or exceed fixed values from the table in Section 2
Test Case 3: Vulnerability scanner shows CVE as remediated
- Precondition: Patch applied, system rebooted, credentialed scan run
- Steps: Run Nessus or Qualys credentialed scan against the patched host
- Expected Result: CVE-2026-45657 plugin returns "Not Vulnerable" or is absent from findings
Automated Compliance Test (PowerShell)
function Test-CVE202645657Patch {
param([string]$ComputerName = $env:COMPUTERNAME)
$fixedBuilds = @{
"26100" = 32995 # Server 2025 / Win11 24H2+
"22631" = 7219 # Win11 23H2
"20348" = 5256 # Server 2022
"28000" = 2269 # Win11 26H1
}
$build = Invoke-Command -ComputerName $ComputerName -ScriptBlock {
$reg = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
[PSCustomObject]@{
BuildNumber = $reg.CurrentBuildNumber
UBR = $reg.UBR
}
}
$fixedUBR = $fixedBuilds[$build.BuildNumber]
if ($null -eq $fixedUBR) {
Write-Warning "$ComputerName : Build $($build.BuildNumber) not in known-fixed list — verify manually"
return
}
if ($build.UBR -ge $fixedUBR) {
Write-Host "[PATCHED] $ComputerName : Build $($build.BuildNumber).$($build.UBR)" -ForegroundColor Green
} else {
Write-Host "[VULNERABLE] $ComputerName : Build $($build.BuildNumber).$($build.UBR) — needs UBR $fixedUBR or higher" -ForegroundColor Red
}
}
# Run against single host
Test-CVE202645657Patch -ComputerName "SERVER01"
# Run across a list
Get-Content "C:\servers.txt" | ForEach-Object { Test-CVE202645657Patch -ComputerName $_ }
6. Prevention & Hardening
Best Practices
Keep cumulative updates current — without delay. The most important long-term defense against vulnerabilities like CVE-2026-45657 is eliminating the gap between patch release and patch deployment. For Critical CVEs, organizations should target a 72-hour patch deployment SLA for internet-facing systems and 7-day SLA for all other systems. Use Windows Update for Business, Intune, or WSUS/SCCM with automated approval rules for Security Updates.
Enable Hypervisor-Protected Code Integrity (HVCI). HVCI (also called Memory Integrity) is a Virtualization-Based Security feature that limits the ability of attackers to exploit kernel memory corruption bugs like UAF vulnerabilities. It prevents unsigned or malicious drivers and kernel code from executing. Enable via:
- Windows Security → Device Security → Core Isolation → Memory Integrity → On
- Or via Intune: Endpoint Security → Attack Surface Reduction → Device Guard
Minimize the network attack surface. Every open inbound port is a potential entry point for a wormable kernel exploit. Use Windows Firewall with default-deny inbound rules, place servers behind network-layer firewalls, and apply micro-segmentation so that even a compromised host cannot scan and reach other systems on the internal network.
Deploy Endpoint Detection & Response (EDR). An EDR solution with kernel-level telemetry (Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne) can detect post-exploitation behavior — process injection, privilege escalation, lateral movement — even if the initial kernel compromise occurs before a signature is available.
Monitoring & Detection
Network-level indicators to watch for:
- Abnormal TCP/IP connection volumes from a single source IP targeting multiple internal hosts (worm scanning pattern)
- New SYSTEM-level processes spawned without a legitimate parent process
- Unexpected outbound connections from server processes (reverse shell indicators)
Recommended detection rules (Splunk/SIEM):
# Detect SYSTEM-level child process anomalies (post-exploitation indicator)
index=windows EventCode=4688
NewProcessName="*cmd.exe" OR NewProcessName="*powershell.exe"
SubjectUserName="SYSTEM"
ParentProcessName!="*services.exe" AND ParentProcessName!="*lsass.exe"
| stats count by ComputerName, ParentProcessName, NewProcessName
| where count > 0
# Detect lateral movement from potentially compromised hosts
index=windows EventCode=4624 LogonType=3
| stats dc(TargetComputerName) as unique_targets by IpAddress
| where unique_targets > 20
Subscribe to Microsoft MSRC advisories via the Security Update Guide notification service to receive real-time alerts when exploitation status is upgraded from "More Likely" to "Detected."
References
- CVE Link: CVE-2026-45657 — NVD
- Microsoft Advisory: MSRC — CVE-2026-45657
- Patch Info: Microsoft Security Update Guide — June 2026
- Technical Analysis: Zero Day Initiative — June 2026 Security Update Review
- Patch Tuesday Analysis: CrowdStrike — June 2026 Patch Tuesday
- Threat Modeling Coverage: threat-modeling.com — June 2026 Critical CVEs
- Talos Snort Rules: Cisco Talos — June 2026 Patch Tuesday
- Brinqa Analysis: June 2026 Patch Tuesday — Exposure Management