Three vulnerabilities in Microsoftβs June 2026 Patch Tuesday all score CVSS 9.8 and all enable unauthenticated remote code execution against Windows systems. The combination β a Windows Kernel flaw being actively exploited, a wormable HTTP.sys vulnerability, and a DHCP Client remote exploit via rogue server β represents an unusually dense cluster of critical risk requiring emergency remediation.
CVE-2026-45657: Windows Kernel Use-After-Free (Actively Exploited)
CVE-2026-45657 is a use-after-free vulnerability in a Windows kernel memory management component. Microsoftβs advisory confirms this vulnerability was both publicly disclosed and actively exploited before the patch was released β meaning exploit code exists in the wild and is being used against unpatched systems.
Technical mechanism: The kernelβs memory allocation structures for a specific device interface can be freed while a reference to the object remains in a data structure accessed by interrupt handlers. Timing this race condition correctly allows kernel memory corruption, which can be escalated to arbitrary code execution at kernel privilege (SYSTEM or above).
Exploitation context: The active exploitation Microsoft references appears to be targeted rather than mass exploitation β consistent with nation-state or sophisticated criminal actors who had pre-patch access to the vulnerability. However, within 48β72 hours of the public Patch Tuesday disclosure, functional exploit code is typically reproduced from the patch diff and incorporated into exploit frameworks available to less sophisticated actors.
Systems at risk: All supported Windows versions including Windows 10/11 and Windows Server 2016β2025. Workstations and servers running Windows are equally affected.
Remediation: Apply the June 2026 Windows cumulative update (KB numbers per Windows version available in the Security Update Guide). No effective mitigation exists other than the patch β the vulnerable code path is in core kernel memory management.
CVE-2026-47291: HTTP.sys Wormable RCE (No Authentication, No User Interaction)
CVE-2026-47291 is an integer overflow in HTTP.sysβs HTTP/2 protocol parser. HTTP.sys is the Windows kernel-mode HTTP driver, used by:
- Internet Information Services (IIS) β web hosting
- Windows Remote Management (WinRM) β remote management
- Windows HTTP Server API β any application using the
httpapi.dllHTTP listener - Exchange Server (which uses IIS internally)
- SharePoint Server (which uses IIS internally)
- Windows Admin Center
- WSUS (Windows Server Update Services)
The wormable classification means: a single malicious HTTP/2 request to any of these services achieves SYSTEM-level code execution. No authentication, no user action, no existing access required. This is the highest risk category of Windows Server vulnerability β comparable to EternalBlue (MS17-010) and ProxyLogon (CVE-2021-26855) in its exploitability.
HTTP/2 exposure: HTTP/2 is enabled by default in IIS on Windows Server 2016 and later and in all the services listed above. The attack surface is any Windows Server with HTTP traffic accepted on port 443 or 80, which in practice means almost every Windows Server in an internet-facing role and many internal servers.
Disabling HTTP/2 as interim mitigation:
# Disable HTTP/2 for IIS (requires IIS restart)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" `
-Name "EnableHttp2Tls" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" `
-Name "EnableHttp2Cleartext" -Value 0
Restart-Service W3SVCThis mitigation degrades performance but does not break connectivity. HTTP/1.1 continues to function normally. The mitigation applies to IIS; other HTTP.sys consumers (WinRM, HTTP Server API applications) may require separate configuration.
Priority: Patch all Windows Server systems with any HTTP service enabled. Treat as emergency β do not wait for the next scheduled maintenance window.
CVE-2026-44815: Windows DHCP Client Rogue-Server RCE
CVE-2026-44815 is a stack buffer overflow in the Windows DHCP Client service. DHCP Client runs on every Windows system that uses dynamic IP addressing β which includes almost every Windows workstation and server on DHCP-assigned networks.
Attack vector: An attacker operating a rogue DHCP server on the same broadcast domain (Layer 2 network segment) can send specially crafted DHCP offer packets to Windows clients during DHCP discovery. The malformed packet triggers the stack buffer overflow in the DHCP Client service, achieving SYSTEM-level code execution on the targeted Windows system.
Broadcast domain scope: DHCP discovery uses broadcast packets β the attack requires the attacker to be on the same Layer 2 segment as the victim, or to have access to the DHCP broadcast domain through a relay. In enterprise environments, VLANs are Layer 2 broadcast domains. An attacker who has compromised a single device on a VLAN (or who connects a rogue device to a switchport on that VLAN) can exploit CVE-2026-44815 against all Windows devices performing DHCP discovery on that segment.
Scenarios of concern:
- Guest Wi-Fi networks where enterprise Windows devices may be connected
- Conference room or shared space switchports without port security enforcement
- Any VLAN where an attacker has compromised a single endpoint
- VPN-connected environments where a compromised VPN client can relay DHCP to internal subnets
DHCP Guard as compensating control: Cisco, Juniper, Aruba, HP, and most enterprise switch vendors implement DHCP Snooping/Guard β a feature that blocks DHCP server responses from all ports except the designated uplink to the legitimate DHCP server. If DHCP Snooping is enforced on all access-layer switch ports, rogue DHCP responses are dropped before reaching Windows clients. This is an effective interim mitigation for environments where DHCP Guard is supported and can be rapidly configured.
Remediation: Apply the June 2026 Windows cumulative update. DHCP Snooping provides defence-in-depth but does not replace the patch.
Share this article