Buried inside Microsoft's record-breaking June 2026 Patch Tuesday is a Windows kernel flaw that security researchers are calling wormable — meaning a future exploit could jump from one Windows PC to another across a network with no clicks, no downloads, and no warning. The fix is already available through Windows Update, but only if you actually install it.
What Microsoft just patched
On June 9, Microsoft released its June 2026 Patch Tuesday with security updates for 200 flaws, including five publicly disclosed zero-day vulnerabilities and one actively exploited in attacks . Independent analysts put the count even higher — one tracker counted 208 CVEs across Windows, Office, Edge, Azure, .NET, Defender, Exchange Server, Hyper-V, Secure Boot, and BitLocker — and it is by far the largest monthly Microsoft release since CVE tracking began in 2017 .
The single most dangerous fix is CVE-2026-45657, a Windows Kernel remote code execution bug. This CVSS 9.8 bug allows remote, unauthenticated attackers to execute code at SYSTEM level without user interaction — it is wormable, and the problem lies in the way the kernel handles TCP/IP . In plain English: a malicious packet sent across a network could take over an unpatched Windows machine, then use that machine to attack the next one.
Why "wormable" is the word that matters
Wormable bugs are how 2017's WannaCry and NotPetya spread across the world in hours. Microsoft listed this one as "Exploitation Less Likely," but every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit . Once working exploit code is published, any Windows PC still missing the June update becomes a target — especially desktops left on overnight or small-business machines sitting behind a basic router.
The June rollup also patches several other heavy hitters: a publicly disclosed BitLocker bypass that could let a thief unlock a stolen laptop, an HTTP.sys denial-of-service flaw nicknamed "HTTP/2 Bomb," and the "GreenPlasma" privilege escalation zero-day. Windows Secure Boot also received 8 Security Feature Bypass patches this month, continuing a trend of attacker investment in undermining pre-OS boot integrity .
What to do on your PC this weekend
Open Settings → Windows Update → Check for updates, and let the June cumulative update install and reboot. Don't postpone it. If your PC has been refusing updates, freezing during install, or rolling back the patch, that's a sign something deeper is wrong — a corrupted update component, a failing drive, or malware blocking the patch — and it's worth bringing the machine in for a proper desktop diagnostic and repair rather than waiting.
One known side effect to watch for: the fix could cause Windows devices to display an error stating, "A required file couldn't be accessed because your BitLocker key wasn't loaded correctly." If you see a BitLocker recovery prompt after the update, do not wipe the drive — your files are still there, but you'll need the recovery key to get back in, and a botched recovery attempt is one of the fastest ways to need professional file recovery.
If you're still on Windows 10, Microsoft has released the Windows 10 KB5094127 extended security update, which fixes the June 2026 Patch Tuesday vulnerabilities and adds new functionality to monitor the rollout of updated Secure Boot certificates that replace those expiring this month — but only ESU-enrolled or Enterprise LTSC machines will receive it. Regular Windows 10 Home and Pro users without ESU are now exposed to this wormable bug with no fix coming, which is a strong reason to plan an upgrade or hardware refresh.
What This Means for York, PA
For York County homes and small businesses, the practical move is simple: install the June update on every Windows PC in the house or office this week, and don't ignore reboots. If a machine in York, Spring Grove, Dover, or anywhere in between won't update, throws BitLocker errors, or starts behaving strangely afterward, walk it into our shop at 2069 Carlisle Rd and we'll sort it out.