June 2026 Patch Tuesday: the largest in history, featuring a wormable kernel flaw

On June 9, 2026, Microsoft shipped the largest Patch Tuesday in the history of its update program. With roughly 208 CVEs fixed according to the Zero Day Initiative's count, it breaks every record since the monthly cycle launched in 2003. Beyond the raw number, it's the nature of some of these flaws that demands attention: a wormable kernel RCE, three publicly disclosed zero-days, and a Defender vulnerability that's already being exploited.

A volume like this creates a very concrete operational problem: you don't deploy 208 patches blindly. The question isn't "should we patch" but "where do we start." Here's how to triage.

The number: 208 CVEs, 33 critical

Across the whole batch, roughly 33 vulnerabilities are rated critical, 28 of which are remote code execution (RCE). The rest break down into privilege escalations, security feature bypasses, information disclosures, and denials of service. What's surprising isn't so much the proportion of critical flaws — that stays within normal bounds — but the absolute volume, which overwhelms IT teams' testing and deployment capacity.

The top priority: CVE-2026-45657, a wormable kernel RCE

If there's only one identifier you remember, make it this one. CVE-2026-45657, rated CVSS 9.8, is an RCE in the Windows kernel caused by a use-after-free in the TCP/IP stack's processing. Its characteristics make it the worst-case scenario:

• No authentication required: the attacker needs no credentials.
• No user interaction: no click, no file to open.
• Remotely triggerable over the network: a specially crafted network packet is enough.

This combination is the very definition of a wormable flaw: malicious code could hop from machine to machine with no human intervention, much like what we saw with EternalBlue and WannaCry. On a flat network with no segmentation, a single exposed, unpatched machine can serve as a beachhead to spread an infection across the entire estate.

Microsoft also fixed CVE-2026-44815 (CVSS 9.8), an RCE in the DHCP client that shares the same no-authentication, no-interaction profile. Both flaws belong at the front of your deployment queue.

Three publicly disclosed zero-days

Three vulnerabilities were publicly known before the patch shipped, which narrows the head start defenders have over attackers. The names below are informal labels given by the community:

• CVE-2026-45586 ("GreenPlasma"): a privilege escalation that moves from the CTFMON process to the SYSTEM account.
• CVE-2026-45585 ("YellowKey"): a BitLocker security feature bypass requiring physical access to the machine.
• CVE-2026-49160 ("HTTP/2 Bomb"): a denial of service targeting HTTP.sys via the HTTP/2 protocol.

One important nuance: sources disagree on the exact status of these flaws (publicly disclosed vs. actively exploited). Absent unambiguous confirmation of exploitation, we treat them as disclosed zero-days — already reason enough to prioritize them, without overstating the threat.

The one already exploited: CVE-2026-41091

Alongside the monthly batch, Microsoft confirms active exploitation of CVE-2026-41091, a privilege escalation in Microsoft Defender that had been addressed by an out-of-band patch on May 19. If you haven't applied that out-of-band fix, it's urgent: exploitation is confirmed. The June cumulative updates also bundle this protection (KB5094126 for Windows 11, KB5094127 for Windows 10).

How to prioritize 208 patches without panicking

A record volume doesn't require a record deployment in a rush. A risk-based, wave-by-wave approach is still the right method:

1. Wave 1 — immediate. The RCEs with no authentication and no interaction, exposable over the network: CVE-2026-45657 (TCP/IP kernel) and CVE-2026-44815 (DHCP). These are the candidates for automated propagation.
2. Wave 2 — within 72 hours. The already-exploited flaw (CVE-2026-41091) and the disclosed zero-days (GreenPlasma, YellowKey, HTTP/2 Bomb) on exposed or sensitive assets.
3. Wave 3 — normal cycle. The rest of the critical and important fixes, after regression testing on a representative sample.

For wormable network RCEs, if deployment can't be immediate across the whole estate, network segmentation and filtering of the affected ports (exposed TCP/IP services, DHCP) make for an interim mitigation. This is exactly the kind of defense in depth I detail in my article on Zero Trust architecture: limiting lateral spread when an endpoint falls.

Sidebar: patch your browsers too — the year's 5th Chrome zero-day

On roughly the same day, Google shipped a security update for Chrome fixing CVE-2026-11645 (CVSS 8.8), an out-of-bounds read/write memory access in the V8 JavaScript engine that allows code execution within the sandbox via a booby-trapped web page. Google confirms an exploit exists in the wild, and CISA has added it to its KEV catalog.

Fixed versions: 149.0.7827.102/.103 on Windows and macOS, .102 on Linux. This is the 5th exploited Chrome zero-day since the start of 2026. One operational reflex too often forgotten: don't just check the installed version, also check the running Chrome processes — a browser left open for days can still be running a vulnerable binary despite a downloaded update. Don't forget derivative applications either (Electron, CEF, VDI environments) that bundle their own Chromium engine.

FAQ

What is a "wormable" flaw, and why is CVE-2026-45657 one?

A wormable flaw can be exploited to automatically spread malicious code from one machine to another, with no human action whatsoever. CVE-2026-45657 meets all three required conditions: remote code execution, no authentication, and no user interaction, triggerable by a single network packet. A worm could therefore replicate machine to machine across an unsegmented network, just as WannaCry did in 2017 via EternalBlue.

Are the three June 2026 zero-days being actively exploited?

They were publicly disclosed before the patch shipped, but sources disagree on whether they're actually under active exploitation. As a precaution, we treat them as disclosed zero-days: their public knowledge erodes defenders' head start and justifies high prioritization, without asserting confirmed exploitation. The only flaw with confirmed exploitation this month is CVE-2026-41091 (Microsoft Defender).

Where should I start with 208 patches to deploy?

With the network RCEs that need no authentication or interaction: CVE-2026-45657 (TCP/IP kernel) and CVE-2026-44815 (DHCP), since they're candidates for automated propagation. Then the already-exploited flaw (CVE-2026-41091) and the three disclosed zero-days on your sensitive assets. The rest follows the normal cycle after regression testing. While the full deployment is pending, segment the network and filter the affected ports.

I updated Chrome — am I protected against CVE-2026-11645?

Only if the browser actually restarted onto the fixed version (149.0.7827.102 or higher). A downloaded but unapplied update leaves the old, vulnerable binary running until Chrome has been relaunched. So check the running processes, not just the installed version, and don't forget Chromium-based applications (Electron, CEF) or VDI environments.

Conclusion

June 2026's Patch Tuesday sets a volume record, but the real story isn't the count: it's the presence of a wormable kernel RCE that brings back the specter of self-propagating network worms. Facing 208 patches, discipline pays off more than blind speed: isolate the self-propagating flaws first, deal with what's already exploited, then roll out the rest methodically. And don't forget the browser — with a 5th exploited Chrome zero-day this year, the workstation-side attack surface remains every bit as active as the server side.