Critical

Windows Kernel TCP/IP Use-After-Free Remote Code Execution

IdentifiersCVE-2026-45657CWE-416· Use After Free

CVE-2026-45657 is a critical remote code execution vulnerability in the Windows Kernel caused by a use-after-free condition. The flaw is described as occurring in how the Windows kernel handles or processes certain TCP/IP data, allowing memory to be reused after it has been freed. An attacker can trigger the vulnerable condition by sending specially crafted network packets to a vulnerable Windows system. Available reporting indicates the attack is remote, requires no authentication and no user interaction, and may be wormable. Successful exploitation can result in arbitrary code execution in kernel context, effectively yielding SYSTEM-level execution on the target host.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code with SYSTEM-level privileges in the Windows kernel. Given the CVSS vector and advisory language, the impact spans full compromise of confidentiality, integrity, and availability on the affected system. Because exploitation is network-reachable via TCP/IP handling and requires no user interaction, the flaw also presents significant risk for automated propagation and broad compromise of exposed or reachable Windows hosts.

Mitigation

If you can’t patch tonight, do this now.

No specific vendor mitigation beyond patching was provided in the supplied content. As interim risk reduction, limit exposure of vulnerable Windows hosts to untrusted network traffic, restrict inbound access using host and network firewalls, segment critical systems, and reduce direct reachability from the internet or less-trusted internal networks until patches can be deployed. Because the flaw is in kernel TCP/IP handling, mitigation short of patching may be incomplete.

Remediation

Patch, then assume compromise.

Apply Microsoft's June 2026 security update for CVE-2026-45657 to all affected Windows systems. Prioritize internet-exposed, perimeter, and otherwise network-reachable assets, especially systems that accept untrusted network traffic. Use standard emergency patching practices for critical pre-auth remote code execution vulnerabilities and validate deployment across the Windows fleet.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationWindowsoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

security affairsNews

Jun 9, 2026

Microsoft Releases Record-Breaking Patch Tuesday With 208 CVEs

A critical wormable remote code execution vulnerability in the Windows kernel TCP/IP handling that could allow unauthenticated attackers to execute code as SYSTEM.

malware newsNews

Jun 9, 2026

Microsoft Patch Tuesday for June 2026 - Snort rules and prominent vulnerabilities - Malware News - Malware Analysis, News and Indicators

A critical Windows Kernel remote code execution vulnerability caused by a use-after-free flaw in TCP/IP processing.

cvefeed high severityNews

Jun 9, 2026

CVE-2026-45657 - Windows Kernel Remote Code Execution Vulnerability

A Windows Kernel use-after-free vulnerability that allows unauthorized remote code execution over a network.

Jun 9, 2026

AI is making Patch Tuesday (kinda) fun again

A critical Windows kernel remote code execution vulnerability in TCP/IP packet processing that can be exploited remotely without authentication or user interaction to achieve system-level code execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-45657

NVD

nvd.nist.gov/vuln/detail/CVE-2026-45657

MITRE CWE · CWE-416

Use After Free

msrc.microsoft.com

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45657