Microsoft’s June 2026 Patch Tuesday addresses five critical vulnerabilities in core Windows networking and kernel components. CVE-2026-45657 (CVSS 9.8) is a use-after-free in the Windows Kernel enabling remote code execution. The remaining four affect Windows TCP/IP, DHCP Client, HTTP.sys, and DHCP Server — the fundamental networking stack of every Windows system.
What Are the Vulnerabilities?
CVE-2026-45657 — Windows Kernel Use-After-Free (CVSS 9.8, CWE-122): A use-after-free vulnerability in the Windows Kernel allows an unauthorised attacker to execute code over a network. Kernel-level RCE gives an attacker the highest privileges on the system — full control of the operating system. This was one of three zero-days in the June Patch Tuesday release.
CVE-2026-47291 — Windows HTTP.sys Integer Overflow (CVSS 9.8, CWE-122): An integer overflow in the HTTP.sys kernel-mode driver — the HTTP protocol stack that powers IIS, Windows Remote Management, and numerous Windows services. Network-exploitable RCE that can be triggered by crafted HTTP requests.
CVE-2026-44815 — Windows DHCP Client Stack Buffer Overflow (CVSS 9.8, CWE-121): A stack-based buffer overflow in the Windows DHCP Client. An attacker on the same network can send a malicious DHCP response that triggers code execution on the client system. DHCP is enabled by default on virtually every Windows system for automatic IP address configuration.
CVE-2026-42904 — Windows TCP/IP Heap Buffer Overflow (CVSS 9.6, CWE-122): A heap-based buffer overflow in the Windows TCP/IP stack. An adjacent network attacker can elevate privileges by sending crafted packets — this is the core TCP/IP implementation used by every network-connected Windows system.
CVE-2026-45602 — Windows DHCP Server Tampering (CVSS 9.1): A vulnerability in Windows DHCP Server allowing unauthorised tampering over a network. DHCP servers manage IP address allocation for entire networks — tampering can redirect traffic, cause denial of service, or enable man-in-the-middle attacks.
Which Versions Are Affected?
- Windows 10, Windows 11, Windows Server 2016/2019/2022/2025 — all versions prior to the June 2026 Patch Tuesday update
What Is the Fix?
Apply the June 2026 Patch Tuesday cumulative update via Windows Update, WSUS, or Microsoft Update Catalog. All five vulnerabilities are addressed in the June updates.
Recommendations
Deploy Patch Tuesday updates through standard patch management. Prioritise internet-facing servers (HTTP.sys, TCP/IP) and DHCP servers (CVE-2026-45602). The Kernel RCE (CVE-2026-45657) should be prioritised on all systems.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 10, 2026.
