Microsoft’s June 2026 Patch Tuesday resolves 206 CVEs including two CVSS 9.5 unauthenticated RCE flaws in the Windows kernel TCP/IP stack and HTTP.sys that require no user interaction and meet wormability criteria. Three CVEs were publicly disclosed before patch availability, and the affected surface spans internet-facing Windows Server, DHCP infrastructure, BitLocker-managed endpoints, and Microsoft Office. This is an emergency-tier patch cycle regardless of KEV listing status.