CVE Tools
Back to blog

CVE-2026-45657: Windows Kernel TCP/IP use-after-free — wormable CVSS 9.8, no exploit yet

A use-after-free in the kernel IP stack that can self-propagate — patched June 2026 Patch Tuesday; the exploit-development race is underway

CVE-2026-45657 is the marquee bug of the June 2026 Patch Tuesday — a record 208-CVE release — and the reason it stands out is deceptively simple: the vulnerable surface is the Windows Kernel TCP/IP stack itself. An unauthenticated attacker who can send packets to a target host can trigger a use-after-free (CWE-416) and heap overflow (CWE-122) in the kernel IP path and land at SYSTEM-level code execution — no credentials, no user interaction. The Zero Day Initiative called it plainly: "this CVSS 9.8 bug allows remote, unauthenticated attackers to execute code at SYSTEM level without user interaction. Yup — this is wormable." There is no single port to firewall; any host reachable over IPv4 or IPv6 on a listening interface is potentially in scope.

What CVE-2026-45657 actually is

NVD assigns two weaknesses: CWE-416 (Use-After-Free) as primary and CWE-122 (Heap-Based Buffer Overflow) as secondary. The most coherent reading — inference, because Microsoft has not published a code-level root cause under coordinated disclosure — is a stale-pointer bug in kernel pool memory: an object is freed while a reference to it survives, and subsequent reallocation of that pool chunk lets attacker-influenced data land where a live kernel structure is expected, manifesting as an out-of-bounds heap write. ZDI attributes the flaw to how the Windows kernel processes TCP/IP communications (attributed to tcpip.sys) and explicitly distinguishes it from EternalBlue, which was an SMB bug. Because the vulnerable code is in the kernel IP stack rather than any user-mode service, the reachable surface is any listening interface on IPv4 or IPv6 — not a discrete application port.

The CVSS 9.8 is structural: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Every high-impact lever is pulled — network-reachable, low complexity, no privileges, no user interaction, full confidentiality/integrity/availability loss at SYSTEM. Scope is Unchanged (S:U) because the vulnerable component (the kernel IP stack) and the impacted component share one security authority — had NVD scored S:C, the identical metrics would yield CVSS 10.0. The 9.8 already reflects the most severe realistic reading short of a cross-authority sandbox escape.

Affected Windows versions and the patch

Preconditions to exploit are minimal, which is what drives the 9.8: network reachability to the target's IP stack, and an unpatched affected build. No credentials, no user interaction, no specific enabled feature are required (CVSS PR:N/UI:N). If the OS is affected and reachable, it is exposed. The one scoping lever is who can reach the host at the IP layer. An important open question: whether the vulnerable path is a pre-connection/stateless packet path (reachable before any TCP handshake, as with prior tcpip.sys bugs like CVE-2024-38063) or requires an established session — no source resolves this, so assume the more exposed stateless case when scoping.

DimensionDetail
CVECVE-2026-45657
ComponentWindows Kernel TCP/IP stack (attributed to tcpip.sys)
CWECWE-416 (Use-After-Free, primary) + CWE-122 (Heap-Based Buffer Overflow, secondary)
CVSS 3.19.8 CRITICAL · AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS~0.155 (96th percentile per cve.tools, as of 2026-07-01)
KEV statusNot listed (verified 2026-06-29, catalog version 2026.06.29, 1630 entries)
Exploited in the wildNo confirmed exploitation (CISA ADP status: none; June ITW bug was CVE-2026-41091, not this)
Public PoCNone — 0 GitHub repositories, PoC-in-GitHub API empty, no Metasploit/Nuclei/ExploitDB entry
Microsoft exploitability"Exploitation Less Likely" (encodes exploitation difficulty, not low impact)
Disclosure2026-06-09 — June 2026 Patch Tuesday (not publicly disclosed before patch)
FixPatch-only — no vendor workaround. Per-SKU June 2026 cumulative update.
Affected SKUsWindows 11 23H2, 24H2, 25H2, 26H1 (x64 + ARM64) · Windows Server 2022 and 2025 (incl. Server Core)
ATT&CKT1210 (Exploitation of Remote Services) — preferred over cve.tools' automated T1190; T1068 largely redundant (no separate EoP step)
Enterprise exposure checkNessus plugins 320182, 320184, 320186, 320188, 320193 · SCCM / Intune June quality-update report

Fixed-build / KB matrix (verify against MSRC per SKU)

Windows SKUJune 2026 KBFixed build.UBR
Windows 11 23H2KB509399822631.7219
Windows 11 24H2KB509412626100.8655
Windows 11 25H2KB509412626200.8655
Windows 11 26H1KB509505128000.2269
Windows Server 2022 (+ Server Core)KB509412820348.5256
Windows Server 2025KB5094125UBR not confirmed — verify against MSRC / KB5094125

The exploitation chain

From network packet to kernel SYSTEM — and the potential for worm-style propagation across unpatched hosts. The chain below reflects ZDI's TCP/IP attribution, the CWE pair, and the CVSS vector. Stages 2–3 (the specific tcpip.sys code path and the precise UAF-to-overflow mechanism) are analytical inference from available sources, not vendor-confirmed. Prevention and detection chokepoints are shown as side nodes.

CVE-2026-45657 attack chain — kernel TCP/IP UAF to SYSTEM RCE and worm propagation

  1. CVE-2026-45657 — kernel TCP/IP UAF, CVSS 9.8 — Unauthenticated wormable RCE in the Windows Kernel TCP/IP stack. CVSS 9.8, no auth, no user interaction. Patched 2026-06-09 — no public PoC as of 2026-07-01.
  2. Stage 1: Network reachability to target IP stack — Precondition. Attacker can send packets to the target's kernel IP stack over IPv4/IPv6 on any listening interface. No specific port required — any reachable interface is potentially in scope. Chokepoint (prevent): segmentation / host firewall / perimeter ACLs reduce who can reach the stack — the only pre-patch exposure lever. No vendor workaround exists.
  3. Stage 2: Crafted TCP/IP traffic triggers use-after-free — Trigger. Specially crafted network traffic drives the vulnerable kernel TCP/IP code path (attributed to tcpip.sys, CWE-416) into freeing an object while a stale reference survives. Chokepoint (detect): failed attempts corrupt pool memory and crash the box. Watch WER EID 1001 stop codes 0x139/0x19/0xC2 + Kernel-Power EID 41, clustered across hosts — the worm/scan tell.
  4. Stage 3: Pool reclaim → heap overflow → control — Corruption to control (inference). Attacker-influenced reallocation of the freed pool chunk yields an out-of-bounds heap write (CWE-122) and, with KASLR defeat + remote pool grooming, control-flow hijack. This is the hard engineering step — weeks to months for skilled teams — why Microsoft rated exploitation 'Less Likely.'
  5. Stage 4: Code execution at SYSTEM (in kernel) — Impact. Arbitrary code execution in the kernel at SYSTEM level. No separate privilege-escalation primitive needed — direct kernel RCE. Full C/I/A loss on the host.
  6. Stage 5: Worm-style propagation (potential) — Spread potential. Unauth + network + no-UI makes self-propagation feasible if a reliable exploit emerges — EternalBlue-class profile (IP stack, not SMB). No working exploit exists today. Chokepoint (detect): lateral-spray flow anomaly — a host suddenly fanning out to many internal peers across subnets in a short window.
  7. Prevent: patch to fixed build.UBR — The durable break in the chain. Patch-only — no vendor workaround. Apply the per-SKU June 2026 KB and verify build.UBR estate-wide. One KB per host clears the whole June network-RCE cluster.
  8. Detect: crash clusters + lateral spray — Bugcheck-cluster detection (WER EID 1001 + Kernel-Power 41, faulting module tcpip.sys, burst across hosts) + behavioral flow anomaly logic. Catches the exploit-race turning real. Talos Snort June 2026 rules — verify whether any SID specifically covers this CVE.

Exploit status and weaponization difficulty

As of 2026-07-01, there is no public exploit or PoC anywhere checked: GitHub returned 0 repositories for CVE-2026-45657; the PoC-in-GitHub aggregator returned an empty response; there is no ExploitDB, Metasploit, PacketStorm, Rapid7, or Nuclei entry (a Nuclei template is architecturally unlikely — this is a remote kernel memory-corruption bug, not a web-detectable flaw). CVE-2026-45657 is not in the CISA KEV catalog (verified against the 2026-06-29 catalog, 1630 entries, cisaExploitAdd=null on NVD). The one June bug confirmed under active attack was CVE-2026-41091 (Microsoft Defender EoP) — not this one. EPSS ~0.155 (96th percentile per cve.tools) — elevated relative to population base rate but far from a proven-exploit score. CISA ADP in NVD records exploitation status "none", automatable "yes", technical impact "total."

CVE-2026-45657 alongside the June 2026 network-RCE cluster

The June 2026 release was the largest Patch Tuesday on record (~206–208 Microsoft CVEs, ~37–38 Critical). CVE-2026-45657 shipped alongside a cluster of critical unauthenticated network RCEs that share the same "reachable Windows host" exposure profile. A single June cumulative update per host clears the whole cluster — batch them in one emergency cycle, don't run five separate maintenance windows.

CVEComponentCVSSExploitabilityKEV / ITW statusPatch-cycle priority
CVE-2026-41091Microsoft Defender EoPConfirmed exploited in the wildConfirmed ITW; ransomware-campaign use flagged#1 everywhere — confirmed active attack
CVE-2026-45657Windows Kernel TCP/IP (tcpip.sys)9.8"Exploitation Less Likely"Not in KEV; no public PoCEmergency — wormable kernel RCE; internet-facing + flat-internal first
CVE-2026-47291HTTP.sys9.8"Exploitation More Likely"Not in KEVEmergency — web-facing hosts; rated more likely than 45657
CVE-2026-44815DHCP Client9.8Not in KEVEmergency — batch with 45657 in same update cycle
CVE-2026-42904TCP/IP9.6Not in KEVEmergency — batch with 45657
CVE-2026-45602DHCP Server9.1Not in KEVUrgent — include in the same cycle

How to check if you're exposed

Because there is no feature toggle, exposure reduces to two questions: is the build patched, and is the host reachable from untrusted networks? The authoritative patch check is the OS build + UBR (update revision)Get-HotFix frequently does not list cumulative updates on modern Windows; trust build.UBR, not the hotfix list.

# Read exact build.UBR (per host)
$v = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
'{0}.{1}.{2}' -f $v.CurrentMajorVersionNumber, $v.CurrentBuildNumber, $v.UBR

# Example: check Windows 11 24H2 (build 26100) against fixed UBR 8655
$u = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
if ([int]$u.CurrentBuildNumber -eq 26100 -and [int]$u.UBR -ge 8655) {
    'PATCHED'
} else {
    'VULNERABLE / verify SKU-specific fixed build'
}
  • Enterprise scale: Tenable/Nessus plugins 320182, 320184, 320186, 320188, 320193 (five per-SKU plugins — verify each maps to the June 2026 check for your specific SKU before relying on it)
  • SCCM / Intune: filter by June 2026 Windows quality-update deployment state for fleet compliance
  • Reachability scoping: there is no single port to block — scope by who can reach the host at the IP layer (internet-facing, DMZ, flat-internal, isolated)

Detection posture — no public signature exists

No public byte-level signature or IoC set exists for this CVE's trigger — the vulnerable code path is undisclosed. Detection is defense-in-depth and anomaly-based:

  • Bugcheck clusters (highest-value signal): failed exploitation corrupts kernel pool memory and crashes the box — a detection opportunity. Watch Event ID 1001 from provider Microsoft-Windows-WER-SystemErrorReporting (carries the stop code — not Kernel-Power 1001, a different event), corroborated by Kernel-Power Event ID 41 (dirty reboot). High-fidelity pool-specific codes: 0x139 (KERNEL_SECURITY_CHECK_FAILURE), 0x19 (BAD_POOL_HEADER), 0xC2 (BAD_POOL_CALLER). Noisier supporting codes (0x1A, 0x50) — only alert when the faulting module is confirmed as tcpip.sys. A burst across ≥3 hosts in a 30-minute window is the worm/scan tell.
  • WFP / network telemetry: Windows Filtering Platform Security Event IDs 5156/5152/5157 for anomalous inbound; ETW provider Microsoft-Windows-TCPIP for abnormal connection/teardown rates. NetFlow / Zeek conn.log for malformed-packet or TCP-reset bursts.
  • Lateral-spray heuristic: a previously-idle host suddenly fanning out to many internal peers across different subnets in a short window — the propagation signature of a self-spreading exploit.
  • Vendor coverage: Cisco Talos shipped Snort rules for the June 2026 cycle. Verify whether any SID specifically targets CVE-2026-45657 rather than assuming monthly-bundle coverage — a kernel TCP/IP UAF may have no network content signature.
  • EDR hunting: unexpected SYSTEM-context process/thread creation, new service/driver installs (Security Event ID 7045, Sysmon EID 6 driver-load), or kernel-callback tampering shortly after inbound network activity on an unpatched host.

Remediation

This is patch-only. Microsoft published no workaround (has_workaround=false). Do not deploy an untested registry or firewall tweak as a substitute. Reachability reduction (segmentation, host firewall, ACLs) reduces but does not remove exposure — it is a bridge to patching, not a fix. Kernel updates require a reboot: plan maintenance windows now rather than waiting for a PoC to force an emergency reboot cycle.

  1. Apply the June 2026 cumulative update for the host's SKU (KB matrix above). A single update per host patches CVE-2026-45657 and the full sibling network-RCE cluster (HTTP.sys CVE-2026-47291, DHCP CVE-2026-44815/45602, TCP/IP CVE-2026-42904, Defender CVE-2026-41091) — one maintenance window, one reboot per host.
  2. Prioritize by reachability: internet-facing and DMZ hosts first (worm ignition points), then flat/unsegmented internal networks (where a worm would pivot east-west), then domain controllers and Server 2022/2025, then general endpoints.
  3. If you cannot patch immediately: reduce reachability via host firewall / network ACLs / segmentation to limit who can reach the IP stack. This is a bridge, not a fix.
  4. **Cannot patch and cannot reduce reachability (legacy, appliance-embedded, vendor-locked, change-freeze)? Formally risk-accept** with a named owner, documented compensating controls (monitoring above), and a hard review date. Auto-escalate the moment a public PoC or CISA KEV listing appears.
  5. Verify fixed build.UBR estate-wide (Nessus plugins / SCCM / Intune). Keep crash-cluster and lateral-spray monitoring live — these are the early-warning system for the exploit-race turning real.
  6. If monitoring fires: isolate and triage under your standard IR playbook. A crash-cluster across unpatched hosts is not a false positive to dismiss.

FAQ

Is CVE-2026-45657 being actively exploited?
No confirmed exploitation as of 2026-07-01. It is not in the CISA KEV catalog, there is no public PoC, and the June bug confirmed under active attack was CVE-2026-41091 (Defender EoP), not this one. CISA ADP records exploitation status "none." Urgency comes from the intrinsic risk profile — unauthenticated, wormable, kernel-level — and the active patch-reversal race, not current attacks. Check your exposure now.
Which Windows versions are affected?
Windows 11 23H2, 24H2, 25H2, and 26H1 (both x64 and ARM64), and Windows Server 2022 and Windows Server 2025 including Server Core installations. Confirm the patch level via build.UBR — see the KB matrix in this article.
Is there a workaround if I can't patch right now?
No official workaround. Microsoft published none. The only interim measure is reachability reduction — host firewall, network ACLs, segmentation — to limit who can send packets to the host's IP stack. This reduces but does not remove exposure. Do not invent an untested registry tweak as a substitute for the update.
What does 'wormable' mean here, and should I treat this like EternalBlue?
Wormable means the bug requires no authentication and no user interaction, so a working exploit could self-replicate host-to-host without human involvement — similar in profile to EternalBlue (CVE-2017-0144). The key difference: EternalBlue exploited the SMB service (a discrete port you could block); CVE-2026-45657 is in the kernel IP stack itself, so there is no single port to firewall. However, reliable remote kernel exploitation is significantly harder than EternalBlue's SMB primitives — the race is still on, but today there is no working exploit.
How do I know if my host is actually patched?
Check build.UBR via Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' and compare against the fixed revision in the KB matrix above. Do not rely on Get-HotFix alone — it frequently does not list cumulative updates on modern Windows. At enterprise scale, use Tenable Nessus plugins 320182/320184/320186/320188/320193.

Sources