CVE-2026-45657: Windows Kernel TCP/IP use-after-free — wormable CVSS 9.8, no exploit yet
A use-after-free in the kernel IP stack that can self-propagate — patched June 2026 Patch Tuesday; the exploit-development race is underway
CVE-2026-45657 is the marquee bug of the June 2026 Patch Tuesday — a record 208-CVE release — and the reason it stands out is deceptively simple: the vulnerable surface is the Windows Kernel TCP/IP stack itself. An unauthenticated attacker who can send packets to a target host can trigger a use-after-free (CWE-416) and heap overflow (CWE-122) in the kernel IP path and land at SYSTEM-level code execution — no credentials, no user interaction. The Zero Day Initiative called it plainly: "this CVSS 9.8 bug allows remote, unauthenticated attackers to execute code at SYSTEM level without user interaction. Yup — this is wormable." There is no single port to firewall; any host reachable over IPv4 or IPv6 on a listening interface is potentially in scope.
What CVE-2026-45657 actually is
NVD assigns two weaknesses: CWE-416 (Use-After-Free) as primary and CWE-122 (Heap-Based Buffer Overflow) as secondary. The most coherent reading — inference, because Microsoft has not published a code-level root cause under coordinated disclosure — is a stale-pointer bug in kernel pool memory: an object is freed while a reference to it survives, and subsequent reallocation of that pool chunk lets attacker-influenced data land where a live kernel structure is expected, manifesting as an out-of-bounds heap write. ZDI attributes the flaw to how the Windows kernel processes TCP/IP communications (attributed to tcpip.sys) and explicitly distinguishes it from EternalBlue, which was an SMB bug. Because the vulnerable code is in the kernel IP stack rather than any user-mode service, the reachable surface is any listening interface on IPv4 or IPv6 — not a discrete application port.
The CVSS 9.8 is structural: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Every high-impact lever is pulled — network-reachable, low complexity, no privileges, no user interaction, full confidentiality/integrity/availability loss at SYSTEM. Scope is Unchanged (S:U) because the vulnerable component (the kernel IP stack) and the impacted component share one security authority — had NVD scored S:C, the identical metrics would yield CVSS 10.0. The 9.8 already reflects the most severe realistic reading short of a cross-authority sandbox escape.
Affected Windows versions and the patch
Preconditions to exploit are minimal, which is what drives the 9.8: network reachability to the target's IP stack, and an unpatched affected build. No credentials, no user interaction, no specific enabled feature are required (CVSS PR:N/UI:N). If the OS is affected and reachable, it is exposed. The one scoping lever is who can reach the host at the IP layer. An important open question: whether the vulnerable path is a pre-connection/stateless packet path (reachable before any TCP handshake, as with prior tcpip.sys bugs like CVE-2024-38063) or requires an established session — no source resolves this, so assume the more exposed stateless case when scoping.
| Dimension | Detail |
|---|---|
| CVE | CVE-2026-45657 |
| Component | Windows Kernel TCP/IP stack (attributed to tcpip.sys) |
| CWE | CWE-416 (Use-After-Free, primary) + CWE-122 (Heap-Based Buffer Overflow, secondary) |
| CVSS 3.1 | 9.8 CRITICAL · AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | ~0.155 (96th percentile per cve.tools, as of 2026-07-01) |
| KEV status | Not listed (verified 2026-06-29, catalog version 2026.06.29, 1630 entries) |
| Exploited in the wild | No confirmed exploitation (CISA ADP status: none; June ITW bug was CVE-2026-41091, not this) |
| Public PoC | None — 0 GitHub repositories, PoC-in-GitHub API empty, no Metasploit/Nuclei/ExploitDB entry |
| Microsoft exploitability | "Exploitation Less Likely" (encodes exploitation difficulty, not low impact) |
| Disclosure | 2026-06-09 — June 2026 Patch Tuesday (not publicly disclosed before patch) |
| Fix | Patch-only — no vendor workaround. Per-SKU June 2026 cumulative update. |
| Affected SKUs | Windows 11 23H2, 24H2, 25H2, 26H1 (x64 + ARM64) · Windows Server 2022 and 2025 (incl. Server Core) |
| ATT&CK | T1210 (Exploitation of Remote Services) — preferred over cve.tools' automated T1190; T1068 largely redundant (no separate EoP step) |
| Enterprise exposure check | Nessus plugins 320182, 320184, 320186, 320188, 320193 · SCCM / Intune June quality-update report |
Fixed-build / KB matrix (verify against MSRC per SKU)
| Windows SKU | June 2026 KB | Fixed build.UBR |
|---|---|---|
| Windows 11 23H2 | KB5093998 | 22631.7219 |
| Windows 11 24H2 | KB5094126 | 26100.8655 |
| Windows 11 25H2 | KB5094126 | 26200.8655 |
| Windows 11 26H1 | KB5095051 | 28000.2269 |
| Windows Server 2022 (+ Server Core) | KB5094128 | 20348.5256 |
| Windows Server 2025 | KB5094125 | UBR not confirmed — verify against MSRC / KB5094125 |
The exploitation chain
From network packet to kernel SYSTEM — and the potential for worm-style propagation across unpatched hosts. The chain below reflects ZDI's TCP/IP attribution, the CWE pair, and the CVSS vector. Stages 2–3 (the specific tcpip.sys code path and the precise UAF-to-overflow mechanism) are analytical inference from available sources, not vendor-confirmed. Prevention and detection chokepoints are shown as side nodes.
CVE-2026-45657 attack chain — kernel TCP/IP UAF to SYSTEM RCE and worm propagation
- CVE-2026-45657 — kernel TCP/IP UAF, CVSS 9.8 — Unauthenticated wormable RCE in the Windows Kernel TCP/IP stack. CVSS 9.8, no auth, no user interaction. Patched 2026-06-09 — no public PoC as of 2026-07-01.
- Stage 1: Network reachability to target IP stack — Precondition. Attacker can send packets to the target's kernel IP stack over IPv4/IPv6 on any listening interface. No specific port required — any reachable interface is potentially in scope. Chokepoint (prevent): segmentation / host firewall / perimeter ACLs reduce who can reach the stack — the only pre-patch exposure lever. No vendor workaround exists.
- Stage 2: Crafted TCP/IP traffic triggers use-after-free — Trigger. Specially crafted network traffic drives the vulnerable kernel TCP/IP code path (attributed to tcpip.sys, CWE-416) into freeing an object while a stale reference survives. Chokepoint (detect): failed attempts corrupt pool memory and crash the box. Watch WER EID 1001 stop codes 0x139/0x19/0xC2 + Kernel-Power EID 41, clustered across hosts — the worm/scan tell.
- Stage 3: Pool reclaim → heap overflow → control — Corruption to control (inference). Attacker-influenced reallocation of the freed pool chunk yields an out-of-bounds heap write (CWE-122) and, with KASLR defeat + remote pool grooming, control-flow hijack. This is the hard engineering step — weeks to months for skilled teams — why Microsoft rated exploitation 'Less Likely.'
- Stage 4: Code execution at SYSTEM (in kernel) — Impact. Arbitrary code execution in the kernel at SYSTEM level. No separate privilege-escalation primitive needed — direct kernel RCE. Full C/I/A loss on the host.
- Stage 5: Worm-style propagation (potential) — Spread potential. Unauth + network + no-UI makes self-propagation feasible if a reliable exploit emerges — EternalBlue-class profile (IP stack, not SMB). No working exploit exists today. Chokepoint (detect): lateral-spray flow anomaly — a host suddenly fanning out to many internal peers across subnets in a short window.
- Prevent: patch to fixed build.UBR — The durable break in the chain. Patch-only — no vendor workaround. Apply the per-SKU June 2026 KB and verify build.UBR estate-wide. One KB per host clears the whole June network-RCE cluster.
- Detect: crash clusters + lateral spray — Bugcheck-cluster detection (WER EID 1001 + Kernel-Power 41, faulting module tcpip.sys, burst across hosts) + behavioral flow anomaly logic. Catches the exploit-race turning real. Talos Snort June 2026 rules — verify whether any SID specifically covers this CVE.
Exploit status and weaponization difficulty
As of 2026-07-01, there is no public exploit or PoC anywhere checked: GitHub returned 0 repositories for CVE-2026-45657; the PoC-in-GitHub aggregator returned an empty response; there is no ExploitDB, Metasploit, PacketStorm, Rapid7, or Nuclei entry (a Nuclei template is architecturally unlikely — this is a remote kernel memory-corruption bug, not a web-detectable flaw). CVE-2026-45657 is not in the CISA KEV catalog (verified against the 2026-06-29 catalog, 1630 entries, cisaExploitAdd=null on NVD). The one June bug confirmed under active attack was CVE-2026-41091 (Microsoft Defender EoP) — not this one. EPSS ~0.155 (96th percentile per cve.tools) — elevated relative to population base rate but far from a proven-exploit score. CISA ADP in NVD records exploitation status "none", automatable "yes", technical impact "total."
CVE-2026-45657 alongside the June 2026 network-RCE cluster
The June 2026 release was the largest Patch Tuesday on record (~206–208 Microsoft CVEs, ~37–38 Critical). CVE-2026-45657 shipped alongside a cluster of critical unauthenticated network RCEs that share the same "reachable Windows host" exposure profile. A single June cumulative update per host clears the whole cluster — batch them in one emergency cycle, don't run five separate maintenance windows.
| CVE | Component | CVSS | Exploitability | KEV / ITW status | Patch-cycle priority |
|---|---|---|---|---|---|
| CVE-2026-41091 | Microsoft Defender EoP | – | Confirmed exploited in the wild | Confirmed ITW; ransomware-campaign use flagged | #1 everywhere — confirmed active attack |
| CVE-2026-45657 | Windows Kernel TCP/IP (tcpip.sys) | 9.8 | "Exploitation Less Likely" | Not in KEV; no public PoC | Emergency — wormable kernel RCE; internet-facing + flat-internal first |
| CVE-2026-47291 | HTTP.sys | 9.8 | "Exploitation More Likely" | Not in KEV | Emergency — web-facing hosts; rated more likely than 45657 |
| CVE-2026-44815 | DHCP Client | 9.8 | – | Not in KEV | Emergency — batch with 45657 in same update cycle |
| CVE-2026-42904 | TCP/IP | 9.6 | – | Not in KEV | Emergency — batch with 45657 |
| CVE-2026-45602 | DHCP Server | 9.1 | – | Not in KEV | Urgent — include in the same cycle |
How to check if you're exposed
Because there is no feature toggle, exposure reduces to two questions: is the build patched, and is the host reachable from untrusted networks? The authoritative patch check is the OS build + UBR (update revision) — Get-HotFix frequently does not list cumulative updates on modern Windows; trust build.UBR, not the hotfix list.
# Read exact build.UBR (per host)
$v = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
'{0}.{1}.{2}' -f $v.CurrentMajorVersionNumber, $v.CurrentBuildNumber, $v.UBR
# Example: check Windows 11 24H2 (build 26100) against fixed UBR 8655
$u = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
if ([int]$u.CurrentBuildNumber -eq 26100 -and [int]$u.UBR -ge 8655) {
'PATCHED'
} else {
'VULNERABLE / verify SKU-specific fixed build'
}- Enterprise scale: Tenable/Nessus plugins 320182, 320184, 320186, 320188, 320193 (five per-SKU plugins — verify each maps to the June 2026 check for your specific SKU before relying on it)
- SCCM / Intune: filter by June 2026 Windows quality-update deployment state for fleet compliance
- Reachability scoping: there is no single port to block — scope by who can reach the host at the IP layer (internet-facing, DMZ, flat-internal, isolated)
Detection posture — no public signature exists
No public byte-level signature or IoC set exists for this CVE's trigger — the vulnerable code path is undisclosed. Detection is defense-in-depth and anomaly-based:
- Bugcheck clusters (highest-value signal): failed exploitation corrupts kernel pool memory and crashes the box — a detection opportunity. Watch Event ID 1001 from provider
Microsoft-Windows-WER-SystemErrorReporting(carries the stop code — not Kernel-Power 1001, a different event), corroborated by Kernel-Power Event ID 41 (dirty reboot). High-fidelity pool-specific codes:0x139(KERNEL_SECURITY_CHECK_FAILURE),0x19(BAD_POOL_HEADER),0xC2(BAD_POOL_CALLER). Noisier supporting codes (0x1A,0x50) — only alert when the faulting module is confirmed astcpip.sys. A burst across ≥3 hosts in a 30-minute window is the worm/scan tell. - WFP / network telemetry: Windows Filtering Platform Security Event IDs 5156/5152/5157 for anomalous inbound; ETW provider
Microsoft-Windows-TCPIPfor abnormal connection/teardown rates. NetFlow / Zeekconn.logfor malformed-packet or TCP-reset bursts. - Lateral-spray heuristic: a previously-idle host suddenly fanning out to many internal peers across different subnets in a short window — the propagation signature of a self-spreading exploit.
- Vendor coverage: Cisco Talos shipped Snort rules for the June 2026 cycle. Verify whether any SID specifically targets CVE-2026-45657 rather than assuming monthly-bundle coverage — a kernel TCP/IP UAF may have no network content signature.
- EDR hunting: unexpected SYSTEM-context process/thread creation, new service/driver installs (Security Event ID 7045, Sysmon EID 6 driver-load), or kernel-callback tampering shortly after inbound network activity on an unpatched host.
Remediation
This is patch-only. Microsoft published no workaround (has_workaround=false). Do not deploy an untested registry or firewall tweak as a substitute. Reachability reduction (segmentation, host firewall, ACLs) reduces but does not remove exposure — it is a bridge to patching, not a fix. Kernel updates require a reboot: plan maintenance windows now rather than waiting for a PoC to force an emergency reboot cycle.
- Apply the June 2026 cumulative update for the host's SKU (KB matrix above). A single update per host patches CVE-2026-45657 and the full sibling network-RCE cluster (HTTP.sys CVE-2026-47291, DHCP CVE-2026-44815/45602, TCP/IP CVE-2026-42904, Defender CVE-2026-41091) — one maintenance window, one reboot per host.
- Prioritize by reachability: internet-facing and DMZ hosts first (worm ignition points), then flat/unsegmented internal networks (where a worm would pivot east-west), then domain controllers and Server 2022/2025, then general endpoints.
- If you cannot patch immediately: reduce reachability via host firewall / network ACLs / segmentation to limit who can reach the IP stack. This is a bridge, not a fix.
- **Cannot patch and cannot reduce reachability (legacy, appliance-embedded, vendor-locked, change-freeze)? Formally risk-accept** with a named owner, documented compensating controls (monitoring above), and a hard review date. Auto-escalate the moment a public PoC or CISA KEV listing appears.
- Verify fixed build.UBR estate-wide (Nessus plugins / SCCM / Intune). Keep crash-cluster and lateral-spray monitoring live — these are the early-warning system for the exploit-race turning real.
- If monitoring fires: isolate and triage under your standard IR playbook. A crash-cluster across unpatched hosts is not a false positive to dismiss.
FAQ
Is CVE-2026-45657 being actively exploited?
Which Windows versions are affected?
Is there a workaround if I can't patch right now?
What does 'wormable' mean here, and should I treat this like EternalBlue?
How do I know if my host is actually patched?
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' and compare against the fixed revision in the KB matrix above. Do not rely on Get-HotFix alone — it frequently does not list cumulative updates on modern Windows. At enterprise scale, use Tenable Nessus plugins 320182/320184/320186/320188/320193.Sources
- NVD — CVE-2026-45657
- CVE.org record
- Zero Day Initiative — June 2026 Security Update Review
- CISA Known Exploited Vulnerabilities catalog
- Tenable — CVE-2026-45657 (EPSS, Nessus plugins)
- SANS ISC — Microsoft June 2026 Patch Tuesday
- Security Affairs — record 208-CVE Patch Tuesday
- The Record — Microsoft ships largest Patch Tuesday on record
- CrowdStrike — June 2026 Patch Tuesday analysis
- Cisco Talos — June 2026 Snort rules and prominent vulnerabilities
- WindowsForum — CVE-2026-45657 patch guide (build→KB→UBR)
- BleepingComputer — Windows 11 KB5094126 and KB5093998 cumulative updates
- Threat-Modeling.com — Microsoft June 2026 Patch Tuesday critical CVEs
- TechTimes — Microsoft Patch Tuesday June 2026: record 208 CVEs, wormable kernel flaw
- cve.tools — CVE-2026-45657