CVE-2026-45657: 'Exploitation Less Likely' Is Not a Patch Window

The June 9 cumulative update patched 200 Windows vulnerabilities. One of them, CVE-2026-45657, carries a CVSS of 9.8, Microsoft’s own classification of “wormable,” and an exploitation likelihood tag that says “Exploitation Less Likely.” For operators reading that last label as a patch priority signal, it’s worth being specific about what it measures and what it doesn’t.

CVE-2026-45657 is a use-after-free in the Windows Kernel’s TCP/IP processing path. An attacker sends specially crafted network traffic to a vulnerable system: no authentication, no user interaction, no prior foothold required. Successful exploitation lands code execution at kernel level, SYSTEM privileges, the highest on a Windows machine. The CVSS vector confirms the attack profile exactly: AV:N/AC:L/PR:N/UI:N. Network-reachable, low complexity, no credentials, no interaction. Microsoft’s own advisory characterizes it as wormable, meaning a successful exploit could self-propagate to other vulnerable machines without human input.

The affected population is not narrow. Windows 11 in every supported release, 23H2, 24H2, 25H2, and 26H1, on both x64 and ARM64. Windows Server 2022 and Windows Server 2025 on x64. Every supported Windows 11 build and both current Server releases.

“Exploitation Less Likely” is Microsoft’s assessment of risk at advisory publication: whether working exploit code exists, and whether threat intelligence shows active use. At June 9, neither was true for this flaw. No public proof of concept. No confirmed exploitation in the wild.

What the rating doesn’t measure is how quickly that changes. The patch ships the fix in binary form, which means researchers can compare the pre-patch and post-patch builds to identify what changed in the kernel. For a clearly defined use-after-free in a well-understood network processing path, that analysis is already underway. ZDI’s review notes that every research team working this month is reversing the patch, and the gap between “no public exploit” and “reliable public exploit” for a kernel vulnerability with this profile has historically been weeks. “Exploitation Less Likely” describes today’s snapshot. It does not describe the day after someone publishes.

The wormable designation deserves to be taken literally. It reflects a specific set of technical properties: network-reachable, no authentication, no user interaction, kernel-level code execution. These are the same properties that made MS17-010 self-propagate across hundreds of thousands of machines without any victim interaction. CVE-2026-45657 is not EternalBlue, and there is no guarantee it reaches that scale. But “this hasn’t been exploited yet” is a statement about timing, not about safety, and timing changes faster than quarterly patch cycles.

The fix is in the June cumulative update. On Windows 11 23H2, the patched build is 10.0.22631.7219 via KB5093998. Windows 11 24H2 and 25H2 both receive KB5094126, landing at builds 10.0.26100.8655 and 10.0.26200.8655 respectively. Windows 11 26H1 gets KB5095051, build 10.0.28000.2269. Windows Server 2022 and 2025 have corresponding entries in the June security rollup, detailed in the MSRC advisory.

If your fleet deployed the June update when it dropped, verify the build numbers and confirm the update applied cleanly. If your pilot and test rings are holding back the June rollout, or you run a quarterly patch cycle, CVE-2026-45657 is the reason to accelerate this one. Any machine running a build below those numbers and reachable on a network without endpoint isolation is in scope, including management servers, jump hosts, VDI targets, and anything in a flat segment that accepts arbitrary TCP/IP traffic.

There is no CISA deadline here. CVE-2026-45657 is not on the KEV list. No emergency directive applies. The pressure is not regulatory.

The pressure is that the window between “Exploitation Less Likely” and “PoC published” on a wormable kernel flaw with a CVSS 9.8 attack profile is the window that is open right now. Getting patched before it closes costs a maintenance cycle. Getting patched after is a different calculation entirely.