VULNERABILITY OVERVIEW
CVE-2026-45657 is a use-after-free vulnerability in the Windows Kernel that allows fully unauthenticated remote attackers to execute code at SYSTEM level by sending specially crafted network traffic; no user interaction is required. Zero Day Initiative characterized it as potentially wormable, noting researchers industry-wide were immediately reversing the patch. Microsoft rated it 'Exploitation Less Likely' but ZDI assessed significant real-world risk given the kernel-level SYSTEM impact and no authentication barrier.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
All supported Windows versions prior to June 2026 Patch Tuesday cumulative updateCITATIONS
- → Microsoft MSRC – June 2026 Patch Tuesday
- → Zero Day Initiative – June 2026 Security Update Review: https://www.zerodayinitiative.com/blog/2026/6/9/the-june-2026-security-update-review
- → The Hacker News – Microsoft Patches Record 206 Flaws: https://thehackernews.com/2026/06/microsoft-patches-record-206-flaws.html
- → SOCRadar – June 2026 Patch Tuesday Analysis: https://socradar.io/blog/june-2026-patch-tuesday-zero-day/