Affected Windows systems

CVE-2026-42904 is a vulnerability in the Windows TCP/IP stack. The attack vector is not an arbitrary internet path, but an adjacent network. For operators, that is still relevant: client LANs, Wi-Fi, VPN-adjacent networks, lab segments, production networks, and shared admin or server networks are often less separated than the documentation suggests.

Current Windows client and server versions are affected, including Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025. Successful exploitation can lead to SYSTEM privileges. Even without known active exploitation, the CVSS 9.6 score and network proximity put this into the short patch queue.

What should be documented now

  1. Capture patch state: Compare Windows 10, Windows 11, Windows Server 2022, and Windows Server 2025 systems against the June 2026 security updates or newer cumulative updates.
  2. Verify builds with samples: Prove at least build 20348.5256 for Windows Server 2022 and 26100.32995 for Windows Server 2025. Check Windows 11 and Windows 10 rings against the released June builds for their versions.
  3. Close reboots: Installation alone is not enough. Reboot state, pending restarts, and failed update attempts need to be visible.
  4. Prioritize LAN-adjacent systems: Start with admin workstations, jump hosts, terminal servers, VDI, kiosk systems, training networks, production, lab, VPN access, and shared Wi-Fi.
  5. Review segment boundaries: Do not accept client-to-client traffic, broad server networks, or unplanned reachability between VPN, Wi-Fi, and server segments as normal.

For mixed client and server networks

This vulnerability is a useful reason to review patch management and network segmentation together. If an attacker from a weakly controlled client or VPN segment can directly reach many Windows systems, an adjacent-network vector becomes much more valuable in practice.

Short term, patch evidence matters most. In parallel, flat networks, host firewall exceptions, and historical allow rules should be reviewed. Critical systems do not need to be directly reachable from every workstation, Wi-Fi, or VPN network.

If only one step can be done immediately: prove June patch state and reboot completion for LAN-adjacent Windows systems, then reduce unnecessary east-west reachability.