[Nothing Weaponized, Everything Exposed]

Microsoft's June release carried zero exploited-in-the-wild and zero publicly disclosed bugs, so Kikta and Miles treat the exploitation-more-likely list as the forcing function for triage in place of a zero-day anchor.

CVE-2026-47291 is the one to patch first: a CVSS 9.8 integer overflow in HTTP.sys, the kernel-mode driver that sits under IIS and WinRM. It is unauthenticated, needs no user interaction, and is the only bug this month that is both a 9.8 and on the more-likely list.

Patch HTTP.sys alongside two more pre-auth network criticals in the same window: CVE-2026-45657, a Windows kernel use-after-free at 9.8 that runs as SYSTEM, and the DHCP pair CVE-2026-44815 (client RCE, 9.8) and CVE-2026-45602 (tampering, 9.1).

The only working exploit code this month sits on Linux: CVE-2026-46333, a ptrace logic flaw Qualys disclosed May 22 with four working exploits, gives local root after hiding in the mainline kernel for roughly nine years. A new Dirty Frag variant, Fragnesia (CVE-2026-46300), calls for pushing one mitigation across the whole Linux fleet, which Automox Worklets are built to do.

Supply chain breaches that never got a CVE played out the same dev-tooling risk in the wild. A poisoned NX Console VS Code extension reached roughly 3,800 of GitHub's internal repos, traced back to a TanStack compromise that shipped 84 malicious versions across 42 packages with valid SLSA provenance. A separate Red Hat npm compromise tracked as Miasma harvested cloud credentials through an npm preinstall hook, and Team PCP also planted a credential-stealing, file-wiping build of Microsoft's DurableTask package on PyPI.