June 2026 Patch Tuesday: four CVSS ≥ 9.1 criticals — Windows kernel TCP/IP RCE, Nuance PowerScribe, Azure Stack Edge, Exchange Online
From CTI Daily Brief — 2026-06-12 · published 2026-06-12 · view item permalink →
Microsoft's June cumulative update (9 June) carries four criticals that clear the CVSS 9+ bar. CVE-2026-45657 (CVSS 9.8) is the priority: a use-after-free with a heap-overflow component in the Windows kernel's TCP/IP processing path, reachable by "specially crafted network traffic" with no authentication and no user interaction, yielding SYSTEM-level code execution (Microsoft MSRC, 2026-06-09). Microsoft rates exploitation "Less Likely" and reports no in-the-wild activity, but the unauthenticated network-reachable kernel surface makes this the June cycle's patch-first item for any Windows host exposed to untrusted networks. CVE-2026-26142 (CVSS 9.8) is an unauthenticated deserialization-of-untrusted-data RCE (CWE-502) in Nuance PowerScribe, the radiology reporting platform common in hospital imaging departments — clinical networks integrating PowerScribe with PACS/RIS should patch and restrict the service to clinical subnets (Microsoft MSRC, 2026-06-09). CVE-2026-47643 (CVSS 9.8) lets an unauthenticated attacker control the file name/path in an Azure Stack Edge upload endpoint (CWE-73), writing outside the intended directory through to code execution on the hybrid-cloud appliance (Microsoft MSRC, 2026-06-09). CVE-2026-48579 (CVSS 9.1), an improper-authorisation information-disclosure flaw in Exchange Online, is already fixed service-side with no customer action required — tenants wanting assurance can review the Unified Audit Log for anomalous mailbox-access operations predating 4 June (Microsoft MSRC, 2026-06-04). NCSC-NL groups these in its June Patch Tuesday advisories (NCSC-NL, 2026-06-11, NCSC-NL 0189).