Microsoft Shipped a Record 208 Patches Tuesday. One Is a Wormable Kernel Bug That Needs No Password and No Click. CVE-2026-45657 Is the 2017 Setup, Again.

Microsoft shipped the largest Patch Tuesday in the program's history this week — 208 CVEs in a single release, three of them zero-days. The volume is the headline everyone wrote. The volume is not the story. Buried in that pile is one bug that does not care how busy your patch team is, because it is the kind of flaw that patches itself onto the front page eventually: CVE-2026-45657, a remote code execution vulnerability in the Windows kernel's TCP/IP stack, rated CVSS 9.8, reachable over the network, requiring no credentials and no user interaction. Those three properties in combination — network vector, no authentication, no click — are the precise definition of wormable. We have seen exactly this shape detonate before, and the year it happened was 2017.

What The Bug Actually Is

CVE-2026-45657 is a use-after-free in how the Windows kernel processes TCP/IP traffic. An unauthenticated attacker on the network sends specially crafted packets to a vulnerable machine and gains code execution at SYSTEM — the highest privilege level the operating system has. There is no login prompt to get past, no malicious attachment a user has to open, no phishing lure that has to land. The machine being reachable and unpatched is the entire prerequisite. Microsoft's own CVSS vector confirms it: attack vector network, privileges required none, user interaction none. The affected surface is broad — Windows 11 versions 23H2 through 26H1 on both x64 and ARM64, plus Windows Server 2022 and Server 2025 including the stripped-down Server Core installations that often run as infrastructure nobody logs into and nobody patches on a fast cadence.

As of this writing there is no confirmed public exploit. That is the good news and it has a short shelf life. Security researchers worldwide are already diffing the patch against the unpatched binary to reverse-engineer the vulnerable code path, which is the normal and predictable next step after any high-value advisory drops. The temporal score sits at 8.5 precisely because weaponization has not been confirmed yet — not because it is hard, but because it is early. The window between a patch shipping and a working exploit circulating is the window every defender actually lives in, and for a bug this clean that window is measured in days to weeks, not months.

Why This Is The 2017 Setup

WannaCry and NotPetya did not spread because they were clever. They spread because EternalBlue gave them a network-reachable, unauthenticated, no-interaction path into the Windows SMB stack, and a self-propagating payload needs nothing more than that to turn one infected machine into ten thousand. The patch for EternalBlue existed before WannaCry hit. Organizations were destroyed anyway, because the gap between patch-available and patch-applied is where worms live, and a flat internal network turns a single foothold into a building fire. CVE-2026-45657 is the same primitive in a different part of the stack: instead of SMB, the TCP/IP kernel path; instead of a Server 2008 estate, a 2022-to-2026 Windows 11 and Server fleet. The technology moved on. The shape did not. A wormable kernel RCE is a ransomware on-ramp — the thing that lets a crew skip the phishing, skip the initial-access broker, and simply arrive, because the network packet is the delivery mechanism and the SYSTEM shell is the payload.

We Said The TCP/IP Stack Was The Ignored Surface In April

We want to be precise about this, because precision is the whole product. We did not predict CVE-2026-45657. What we did do, on April 27, was publish a post titled around a different Windows TCP/IP RCE — CVE-2026-33827, rated 8.1 — under a blunt argument: the TCP/IP stack itself is the unauthenticated-RCE surface the industry keeps walking past because something flashier is always in the news that week. That April bug got ignored because everyone was talking about the BlueHammer Defender flaw CISA had just added to KEV. The pattern we named then was that the kernel network path is a recurring, under-watched source of exactly the no-auth-no-click RCE that matters most, and that the threat-vendor ecosystem systematically under-weights it. Six weeks later, June Patch Tuesday shipped another Windows TCP/IP stack RCE — this one a full point higher at 9.8, and this one wormable. Same stack. Worse bug. The recurrence is the receipt, not a specific call, and we will not dress it up as more than that.

What A Defender Does This Week

Patch CVE-2026-45657 first, ahead of the other 207. When a single release is this large, triage is the real skill, and the triage rule is unambiguous: a wormable, unauthenticated, SYSTEM-level kernel RCE outranks everything else in the pile regardless of what is being actively exploited today, because the cost of being wrong about this one is a self-propagating event rather than a single compromised host. If you cannot patch every machine immediately — and at fleet scale nobody can — then reduce the blast radius the way you would have wanted to before WannaCry: the bug is network-reachable, so restrict and segment the TCP/IP attack surface, keep Server Core and other quietly-running infrastructure off any segment a compromised workstation can reach, and treat internal network flatness as the multiplier it is. The patch existing does not protect you. The patch applied, plus segmentation that assumes one machine will fall, is what keeps a foothold from becoming a fire.

And watch the clock between now and the public exploit. There is no weaponized proof-of-concept today, but the patch-diffing has already started, and the moment one lands on a public repository the calculus changes for everyone still unpatched. Our exploit harvester watches GitHub for exactly that drop — it caught the proof-of-concept landings this week for the Check Point VPN, Cisco SD-WAN, and Langflow bugs within hours of them being published — and a wormable kernel RCE is the single highest-priority thing it can surface. When the CVE-2026-45657 PoC appears, the question stops being whether to fast-lane the patch and becomes how many hours you have left. Better to have spent those hours already.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register