The Largest Patch Tuesday in History
Microsoft's June 2026 Patch Tuesday delivered 208 CVEs — the largest single monthly security update since the program launched in 2003. Including Chromium and third-party components bundled in Microsoft products, the total reaches 571 vulnerabilities. 37 are rated Critical. 65 are elevation-of-privilege vulnerabilities. 55 are remote code execution flaws. The sheer volume overwhelms traditional patch management processes: organizations that patch monthly now face a queue that could take weeks to test and deploy.
Two vulnerabilities demand immediate attention. CVE-2026-45657 (CVSS 9.8) is a use-after-free in the Windows Kernel TCP/IP stack — wormable, requiring no authentication and no user interaction, exploitable remotely via crafted TCP/IP packets. Security researchers have compared it to EternalBlue, the vulnerability behind WannaCry. CVE-2026-47291 (CVSS 9.8) is a remote code execution vulnerability in HTTP.sys — the kernel-mode HTTP listener that powers IIS. Crafted HTTP packets sent to a Windows web server can achieve code execution at the kernel level.
The Web Server Attack Vector
CVE-2026-47291 is a direct threat to every Windows-hosted web application. HTTP.sys is not optional on Windows Server — it is the kernel-mode HTTP listener that IIS uses to process all incoming web requests. ASP.NET, ASP.NET Core (when hosted on IIS), WordPress on Windows (via IIS + PHP), and any application behind IIS's reverse proxy are all served through HTTP.sys. A crafted HTTP request — sent to port 80 or 443 like any normal web request — can achieve kernel-level code execution on the web server. No authentication. No special access. Just a packet to a public-facing web server.
The CVE-2026-45657 kernel TCP/IP vulnerability compounds this: even if a Windows server does not run IIS, any open TCP port can be attacked. RDP, SMB, database services, application servers — all process TCP/IP through the vulnerable kernel code path. A worm exploiting this vulnerability could spread across an entire Windows network once a single machine is compromised, exactly as WannaCry spread through EternalBlue in 2017.
CISA's Three-Day Mandate Meets 208 CVEs
CISA's BOD 26-04, issued June 10, 2026, mandates that the highest-risk vulnerabilities be patched within 3 days. Both CVE-2026-45657 and CVE-2026-47291 qualify: CVSS 9.8, network-exploitable, no authentication required. Federal agencies — and any organization following CISA guidance — must patch these two vulnerabilities by June 13. The Patch Tuesday dropped June 10. That is a 72-hour window to test, deploy, and verify a kernel-level patch across all Windows infrastructure.
72 hours for a kernel patch is achievable for organizations with automated patch pipelines, containerized deployments, and blue-green infrastructure. It is not achievable for organizations running Windows Server 2019 with manual RDP-based administration, applications that require reboot testing, or enterprises with change advisory boards that meet weekly. The 3-day mandate does not create a new capability — it reveals which organizations already have the infrastructure to respond at that speed and which do not.
The Linux Differential
Neither CVE-2026-45657 nor CVE-2026-47291 affects Linux, macOS, or any non-Windows operating system. Web servers running on Linux (Nginx, Apache, Caddy) with Python (FastAPI, Django), Node.js (Next.js, Express), or Go backends are not affected. Containerized deployments on Kubernetes with Linux-based images are not affected. Serverless platforms (AWS Lambda, Cloudflare Workers, Vercel Edge Functions) are not affected.
This creates a quantifiable security differential between Windows-hosted and Linux-hosted web infrastructure. In the month of June 2026 alone, Windows web servers face: 208 CVEs including a wormable kernel flaw, an HTTP.sys RCE, and a 72-hour patching deadline. Linux web servers face: their normal, smaller set of targeted advisories. The operating system underneath the web framework is not a neutral choice. It is a security multiplier — and in June 2026, it multiplied risk for Windows and reduced it for Linux.
Patch or Isolate
Security researchers warn that public exploits for CVE-2026-45657 may emerge 'in days rather than weeks.' The recommended timeline: internet-facing Windows servers should be patched within 48 hours. Internal Windows servers within 72 hours. If patching is not possible within that window, isolate: remove the server from the network, disable inbound TCP/IP from untrusted networks, or migrate the workload to a patched system. The wormable nature of CVE-2026-45657 means that a single unpatched machine on a network segment can compromise every other Windows machine on that segment. There is no 'wait and see' option for a wormable kernel vulnerability.
