June 2026 Windows Update — 200 Fixes, 3 Zero-Days and a Wormable Flaw

Microsoft just shipped its biggest Patch Tuesday ever. Around 200 security fixes in one go, 33 of them Critical. Three zero-days that have been publicly disclosed. And buried in the list, a wormable flaw in the Windows kernel that could spread between PCs with zero user interaction. Install it now.

The wormable one

CVE-2026-45657 is a flaw in the Windows kernel's TCP/IP stack. An attacker can send specially crafted network packets to any Windows PC, get full SYSTEM access, and do it without any login credentials or user interaction. CVSS 9.8 out of 10.

"Wormable" means malware could use this to jump from machine to machine across a network on its own, like the WannaCry ransomware did in 2017. Microsoft says exploitation is "less likely" for now, but every security researcher I've read this morning disagrees with that assessment. This one gets patched first.

Three zero-days

None of these are being actively exploited yet, which is a first in months. But "publicly disclosed" means the technical details are already out there, so it's a matter of when, not if.

Preview-pane attacks are back

Same story as April. Multiple flaws in Office (CVE-2026-47635 and others) that trigger when you preview a document in Outlook or File Explorer. No clicking. No opening. You select the email, the preview pane renders it, and that's enough to run code on your machine.

This is why "I don't click dodgy links" isn't a complete defence. You don't have to click. You just have to look.

Other flaws worth mentioning

• CVE-2026-44815, DHCP client. Buffer overflow in the service that assigns your PC its IP address. Runs on every Windows machine. Potential for remote code execution without authentication.
• CVE-2026-47291, HTTP.sys. Another unauthenticated remote code execution, CVSS 9.8. Systems with default registry settings are not affected, but anything that's been tweaked could be.
• CVE-2026-42985, Remote Desktop. If you connect to a malicious RDP server (a phishing link, for example), it can run code on your machine. Rated "Exploitation More Likely."

How to install

1. Settings, then Windows Update
2. Check for updates
3. Wait 10-30 minutes
4. Restart when prompted, not two days later

Good news: this one fixes previous problems

If you hit blue screens (HYPERVISOR_ERROR) after May's preview update, or got stuck in a BitLocker recovery loop from the April patch, this update fixes both. So if you've been putting off updating because of those issues, this is the one that sorts it.

Windows 10

The Windows 10 cumulative is KB5094127, but only if you're enrolled in the Extended Security Updates programme. If you're still on Windows 10 and haven't signed up for free ESU, you're not getting patches at all. See the Windows 10 end-of-life guide for how that works. Free ESU runs out in October.

If Windows Update itself is broken

A PC that can't update can't protect itself. Low disk space, corrupted update cache, third-party antivirus clashing with Defender. I've covered the usual fixes in my common PC problems post, and if storage is the issue, freeing up space on Windows 11 walks through it. If none of that works, I can sort it out. That's what local computer repair is for.

For the full technical breakdown, Bleeping Computer has every CVE listed and Krebs on Security puts it all in context.

Mark

Mark has been fixing computers since the late '90s and went self-employed in 2008. Based in St Helens since 2013, he works evenings and weekends from his home in Laffak — friendly, affordable repairs for PCs, laptops, and Macs. See reviews on Google