Microsoft June 2026 Patch Tuesday: 25 Vulnerabilities Disclosed, Including 3 Zero-Days
Microsoft's June 2026 Patch Tuesday addressed 25 vulnerabilities across its product ecosystem, including three actively exploited zero-days and numerous high-severity flaws.
Key findings
- Microsoft's June 2026 Patch Tuesday addressed 25 vulnerabilities, including three zero-days.
- Multiple high-severity privilege escalation and security bypass flaws affect Windows Secure Boot and PC Manager.
- Eleven heap overflow vulnerabilities in Remote Desktop Client could allow remote code execution.
- SharePoint and HTTP/2 also saw significant vulnerability disclosures.
- The batch included vulnerabilities ranging from information disclosure to remote code execution.
- All disclosed CVEs required customer action and were part of a larger update addressing 198 flaws.
Microsoft's June 2026 Patch Tuesday, released on June 9, 2026, saw the disclosure of 25 vulnerabilities affecting various Microsoft products. This batch included three zero-day vulnerabilities that were publicly known or actively exploited prior to the patch release, alongside a significant number of high-severity flaws impacting core Windows components and applications like Microsoft PC Manager and Remote Desktop Client. The disclosures occurred within a tight one-hour window, highlighting a coordinated release strategy by Microsoft to address critical security issues.
Several vulnerabilities focused on privilege escalation and security feature bypass. Notably, multiple high-severity flaws in Windows Secure Boot (CVE-2026-48578, CVE-2026-48576, CVE-2026-48575, CVE-2026-48573, CVE-2026-48570, CVE-2026-48568) and Windows Boot Manager (CVE-2026-47656) allowed authorized attackers to bypass security features locally. Additionally, Microsoft PC Manager was affected by several high-severity privilege escalation vulnerabilities, including CVE-2026-50512 (missing authentication for critical function) and CVE-2026-50511 (improper link resolution).
The Remote Desktop Client was particularly impacted, with a cluster of eleven heap-based buffer overflow vulnerabilities disclosed together. These flaws, including CVE-2026-47653 (CVSSv3 8.8), CVE-2026-47652 (CVSSv3 8.2), and CVE-2026-48563, could allow unauthorized attackers to execute code remotely over a network. Microsoft Office SharePoint also saw a significant number of vulnerabilities patched, including medium-severity Cross-Site Scripting (XSS) flaws like CVE-2026-48562 and CVE-2026-48560, which could lead to spoofing attacks.
Beyond privilege escalation and remote code execution, other vulnerabilities addressed include information disclosure flaws in Windows NTLM (CVE-2026-50508) and Windows DWM Core Library (CVE-2026-48566), and a denial-of-service vulnerability in HTTP/2 (CVE-2026-49160). The Windows BitLocker security feature was also targeted with a protection mechanism failure vulnerability (CVE-2026-50507), allowing bypass via a physical attack.
Microsoft's June 2026 Patch Tuesday update addressed a total of 198 vulnerabilities, with 33 classified as Critical. The three zero-day vulnerabilities were highlighted by BleepingComputer and Cyber Security News. Administrators were urged to prioritize deployment of these updates, as customer action was required for all disclosed CVEs in this cycle. The sheer volume of vulnerabilities patched, coupled with the presence of actively exploited zero-days, underscores the importance of timely patching for maintaining system security.
Users are strongly advised to ensure their systems are updated to the latest security patches provided by Microsoft to mitigate the risks associated with these vulnerabilities. The coordinated disclosure and patching strategy aims to provide a comprehensive security update for the month, covering a wide range of potential attack vectors across the Microsoft ecosystem.