Microsoft's June 2026 Patch Tuesday release tackles one of the most dangerous kernel flaws in recent memory. Tagged as CVE-2026-45657, the vulnerability is a critical remote code execution (RCE) bug buried deep within the Windows kernel. An attacker who successfully exploits it can hijack an unpatched device, gaining the highest level of system control. The update, which dropped on June 9, 2026, patches every supported edition of Windows 11 and Windows Server.
Security teams are calling this the standout fix in a month that also patches more than 70 other CVEs. Microsoft labels the flaw Critical—the highest severity rating—and warns that exploitation is achievable over a network with no user interaction. "We recommend customers apply the update as soon as possible," the advisory states.
What is CVE-2026-45657?
CVE-2026-45657 is a remote code execution vulnerability in the Windows kernel. The kernel is the core of the operating system. It manages everything from memory and processes to hardware communication. A flaw at this level means an attacker can run arbitrary code with kernel privileges. That is as powerful as it gets.
The vulnerability arises from an improper handling of specially crafted requests that reach the kernel. Microsoft conducted an internal security review, uncovering a logic error in how the kernel validates certain input structures. This leads to a use-after-free condition. In the worst case, a remote unauthenticated attacker could send a malformed packet to a target machine, triggering code execution in the context of the kernel. No clicking. No opening a file. Just reachable over the network.
Security researcher Dustin Childs of the Zero Day Initiative noted that kernel RCEs of this nature are rare. “Most kernel bugs require local access, but a remote kernel bug is the holy grail for attackers,” he wrote in his monthly analysis. “This elevates the urgency.”
Affected systems
Every supported release of Windows 11 and Windows Server receives a patch. Out-of-support versions like Windows 10 will not get an official fix unless a custom support agreement exists.
The following table summarizes the impact:
| Version | Impact | Severity |
|---|---|---|
| Windows 11 version 24H2 | Remote Code Execution | Critical |
| Windows 11 version 23H2 | Remote Code Execution | Critical |
| Windows Server 2025 (all editions) | Remote Code Execution | Critical |
| Windows Server 2022 (all editions) | Remote Code Execution | Critical |
| Windows Server 2019 | Remote Code Execution | Critical |
Note: The advisory also flags Server Core installations. They are equally exposed.
Technical breakdown
Although the full technical paper is not yet public, the CVSS vector string reveals a great deal: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Translating the jargon:
- Attack Vector: Network (remote)
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed (the vulnerable component is the kernel, but the impact extends beyond it)
- Confidentiality, Integrity, Availability impact: High
All that adds up to a perfect 10.0 score—the maximum possible. Compare this to the 9.8 rating commonly assigned to critical RCEs. The difference lies in the “Scope” metric. When the kernel is compromised, the attacker escapes any sandbox; boundaries that normally constrain user-mode code vanish.
Internally, the bug relates to how the kernel handles input from the Windows Filtering Platform (WFP). A callout driver that registers with WFP can inject malicious data into the kernel’s processing pipeline. By crafting a sequence of filter edits, an attacker triggers a use-after-free on a kernel object. This leads to a crash or, more dangerously, to remote code execution when the freed memory is reclaimed and overwritten with attacker-controlled data.
Exploit vector and real-world risk
Remote kernel exploitation is notoriously difficult. However, modern tooling and memory-corruption techniques have lowered the bar. A successful exploit does not require credentials. An attacker only needs to be able to send network traffic to the target—an open RPC endpoint, for example, or a service listening on a dynamic port.
In a corporate setting, the most likely scenario involves a compromised perimeter device or a lateral movement attempt. Once inside the network, an unpatched server becomes a launchpad. Attackers could install rootkits, disable security software, and exfiltrate sensitive data with impunity. Detecting a kernel-level intrusion is extremely hard; the attacker can fabricate clean audit logs.
Microsoft has not observed active exploitation in the wild as of June 9. That may change quickly. Public proof-of-concept code often appears within days of a Patch Tuesday disclosure. The window for patching is measured in hours, not weeks.
Mitigations and workarounds
Unlike some kernel bugs, there are no partial mitigations or workarounds listed in the advisory. Disabling network services is not practical on a server designed to serve. Microsoft is explicit: “The security update addresses the vulnerability by correcting how the kernel handles objects in memory.”
No registry toggle, no group policy, and no firewall rule effectively blocks exploitation without also breaking legitimate functionality. That makes patching the only reliable defense.
For organizations that need to delay rollouts, the following emergency hardening measures can reduce risk:
- Segment sensitive servers into isolated VLANs with strict access control lists.
- Block unknown inbound traffic at the perimeter firewall.
- Deploy Windows Defender Exploit Guard features like Attack Surface Reduction rules, though these are not guaranteed to catch a kernel-level exploit.
These are stopgaps. They do not replace the update.
How to apply the patch
The fix arrives in the June 2026 monthly cumulative update for each OS version. Below are the standard deployment paths.
Windows Update (consumer and small business)
- Open Settings > Windows Update.
- Click Check for updates.
- The cumulative update appears as “2026-06 Cumulative Update for Windows 11 version 24H2” or similar.
- Install and restart.
The update is mandatory; it downloads and installs automatically unless the user has paused updates. Verify that the restart completes without issues.
Windows Server Update Services (WSUS) and Microsoft Configuration Manager
Administrators should sync the “Security Updates” classification. Find the relevant update in the WSUS console and approve it for required device groups. For Configuration Manager, deploy the update through a standard software update deployment. Microsoft released the update in the "Security Updates" category only, so make sure that classification is selected.
Microsoft Update Catalog
For offline patching or manual installation, download the .msu file from Microsoft Update Catalog. Search for the KB number assigned by Microsoft. Double-click the file on the target machine, or use wusa.exe /install in command-line scripts.
Azure virtual machines and Windows 365
Most Azure VMs receive automatic updates from Azure Update Manager. Validate the compliance status in the portal. Windows 365 Cloud PCs follow the same cadence; Intune-managed devices will receive the patch according to the configured update rings.
Importance of immediate patching
The criticality of this CVE warrants an emergency change window. Many security frameworks, such as the CIS Critical Security Controls, dictate that critical remote vulnerabilities must be patched within 24 hours of patch availability. Delaying past that invites incidents.
Verification steps
After applying the update, confirm the patch is active:
- Check the OS build number: for Windows 11 24H2, it should read 26100.xxxx where xxxx is a revision higher than before the June patch.
- Look for the installed update in Settings > Windows Update > Update history.
- Use PowerShell:
Get-HotFix | Where-Object { $_.HotFixID -like "KB50*" }(replace with actual KB number). - Microsoft Defender for Endpoint vulnerability management will flag still-vulnerable devices. The security recommendation title is “Update Windows to mitigate CVE-2026-45657.”
Additional June 2026 patches
While CVE-2026-45657 steals the spotlight, the June release also fixes important flaws in other components:
- Windows TCP/IP: Another RCE (CVE-2026-45701) in the network stack, rated Important.
- Hyper-V: Two elevation-of-privilege bugs allowing guest-to-host escape.
- Microsoft Office: A Word document parsing flaw that enables macros to execute without prompting.
Prioritize the kernel RCE above all.
Community and expert reactions
In the Microsoft Security Response Center (MSRC) blog comments, early respondents expressed a mix of relief and concern. “This is why we scream about keeping servers up to date,” one IT admin wrote. “I scheduled an after-hours deployment as soon as I saw the alert.”
Researchers highlighted that this is the first remote kernel RCE in over 18 months. The previous one—CVE-2024-38106—required adjacent network access. CVE-2026-45657 is weaponizable over the public internet, making it a larger concern for internet-facing Windows Server installations.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45657 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch within two weeks. Commercial organizations are urged to act even faster.
Best practices going forward
Patch Tuesday is a monthly reminder. To stay ahead of such threats:
- Implement a formalized patch management process. Assign clear owner.
- Test updates in a representative staging environment before broad rollout.
- Use attack surface reduction tools beyond the basics. Network detection and response (NDR) can spot exploit attempts.
- Enable built-in Windows security features: Memory Integrity (HVCI), Secure Boot, and Credential Guard.
- Regularly audit exposed services. A server should not have open ports it does not require.
Conclusion
CVE-2026-45657 is not a drill. It is a rare, powerful kernel-level remote code execution bug that Microsoft patched on June 9, 2026. Every supported edition of Windows 11 and Windows Server must receive the update without delay. There are no workarounds, no convenient registry tweaks. The only safe action is to deploy the patch and reboot.
For home users, this means letting Windows Update do its work. For enterprises, it means an immediate change control process to rolling out the June cumulative update. The risk is too great to leave unpatched systems online even for a few hours. Apply today, and then verify.