The Record Patch Tuesday Has a Kill Chain Hidden Inside It. Six June CVEs Turn an Anonymous Network Packet Into Your Encrypted Disks — All Patched the Same Day.

Earlier today we wrote about the single most dangerous bug in Microsoft's record 208-CVE June Patch Tuesday: CVE-2026-45657, a wormable kernel TCP/IP remote code execution that takes a machine to SYSTEM with no password and no click. That post argued you should patch it first. This post argues something narrower and more useful for the team that has to triage all 208: the June release is not 208 isolated bugs. It contains, in a single Tuesday, every link you need to chain an anonymous network packet into a domain takeover and the encrypted disks behind it. You do not need a year of disclosures and a sophisticated actor to assemble this. You need one patch cycle's worth of holes and the discipline to read them as a path instead of a column of severity scores.

This is the lesson we keep coming back to — we wrote it about Cisco SD-WAN Manager in May, where four CVEs landing on one day chained from an anonymous HTTP request to owning every router in the fabric. The shape repeats because attackers think in paths and patch teams think in lists. So here is the path.

Link One: The Way In — [CVE-2026-45657](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-45657)

A wormable kernel RCE is both the front door and the hallway. CVE-2026-45657 is a use-after-free in the Windows TCP/IP stack, CVSS 9.8, reachable over the network with no authentication and no user interaction, and it lands the attacker at SYSTEM directly. On any machine an attacker can reach, no further chaining is required to own that machine — the packet is the exploit and the SYSTEM shell is the result. Because it is wormable, it is also the propagation engine: one reachable host becomes many without a human driving each hop. This is the only link in the chain that needs nothing before it. Everything else in this post is what happens after the worm is already inside and standing on a box as SYSTEM.

Link Two: Blind the Guard — [CVE-2026-41091](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-41091)

The first thing a capable intruder does after landing is take the defender's eyes out, and June handed them the tool for it. CVE-2026-41091 is a Microsoft Defender elevation-of-privilege vulnerability that Microsoft has confirmed is under active exploitation in the wild — and the patch acknowledges multiple independent finders, which is usually a sign that real-world exploitation is not theoretical or narrow. Defender is the EDR sitting on the majority of Windows endpoints on earth; a privilege flaw in the guard itself is a flaw in the thing that is supposed to notice the rest of this chain happening. Combine it with the working Defender exploit a researcher dropped publicly this week, hours after Patch Tuesday, and the evasion link is not a hypothetical — it is shipping code.

Link Three: The Keys — LSASS

Standing on a box as SYSTEM with the EDR blinded, the attacker reaches for the same prize they always do: the credentials in LSASS memory. This is not a new CVE; it is the consequence of the first two links. SYSTEM can read the Local Security Authority Subsystem process, and that process holds the cached credentials, tokens, and hashes that let an intruder stop exploiting and start logging in. The transition from exploitation to valid credentials is the moment an incident becomes an enterprise problem, because from here the attacker moves through your network as a legitimate user and most of your detection is looking for exploits, not logins.

Link Four: Climb the Holdouts — [CVE-2026-45586](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-45586) and [CVE-2026-42916](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-42916)

Not every machine is reachable by the worm directly. The high-value boxes — domain controllers, backup servers, the segmented infrastructure you were right to wall off — are typically reached by pivoting with stolen credentials and landing as an ordinary user. That is where the June elevation-of-privilege bugs earn their place in the chain. CVE-2026-45586, a flaw in the Collaborative Translation Framework, lets a low-privileged local attacker climb to SYSTEM with low complexity and no user interaction, and it was disclosed publicly before the patch shipped. CVE-2026-42916 is a separate Windows kernel local privilege escalation in the same release. Either one converts a user-level foothold on a pivot box into SYSTEM on that box, and the chain continues. Two independent escalation paths in one month means patching only one of them does not close the link.

Link Five: The Data at Rest — [CVE-2026-50507](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-50507)

The point of all of this, for a ransomware crew, is leverage, and leverage increasingly means the data you cannot easily restore. CVE-2026-50507 is a BitLocker security-feature bypass disclosed as a zero-day this month. BitLocker is the full-disk encryption a lot of organizations rely on as their last line for data at rest — the thing that is supposed to make a stolen or seized disk worthless. A bypass turns that assurance off for an attacker with the local access the previous links already gave them. The encrypted laptop, the encrypted server volume, the thing you thought was safe because it was encrypted — link five reads it.

Link Six: The Noise — [CVE-2026-49160](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-49160)

The last link is optional and it is cover. CVE-2026-49160 is an HTTP.sys denial-of-service flaw in the HTTP/2 stack, and because HTTP.sys sits underneath IIS and other Windows networking services, a crafted request stream can knock exposed web-facing servers offline. During an active intrusion a DoS is rarely the objective; it is the distraction, the thing that pulls your responders toward the website being down while the real work happens elsewhere, or the additional extortion lever applied once the encryption is done. It belongs in the chain as the thing that complicates your response, not the thing that owns your network.

How To Read This As A Defender

We want to be precise, because precision is the product: this is a constructed chain, not an observed campaign. We are not telling you a named actor is running these six CVEs in sequence right now. We are telling you that a single Tuesday's patch notes contain a complete path from an anonymous packet to your encrypted disks, and that the right way to triage 208 CVEs is to read them as paths rather than to sort them by CVSS and work down the list. Patched in path order, the priorities are clear: the wormable entry point first because it needs nothing and spreads itself, the actively-exploited Defender flaw second because it is already being used and it blinds you to the rest, the two escalation bugs next because they are how the worm reaches what you correctly segmented, and the BitLocker bypass close behind because it turns off the assurance you were counting on at the end. The DoS can wait. The chain cannot, because the gap between this patch shipping and a public proof-of-concept for the wormable link is the window every one of these moves lives inside — and our harvester, which caught the proof-of-concept drops for Check Point, Cisco SD-WAN, and Langflow within hours this week, is watching that exact window for the kernel bug now.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register