Microsoft June 2026 Patch Tuesday Addresses 206 Vulnerabilities, Highlighting Critical RCE Flaws

Microsoft has rolled out its June 2026 Patch Tuesday security update, a comprehensive release that tackles a total of 206 vulnerabilities across its product ecosystem. Of particular concern are 32 "critical" flaws, with 28 of these being remote code execution (RCE) vulnerabilities. These critical issues affect a wide array of Microsoft services and applications, including Windows Active Directory, the Windows Kerberos Key Distribution Centre (KDC), the Windows Graphics component, the Windows Remote Desktop client, Windows Deployment Services (WDS), the DHCP Client service, Windows Hyper-V, Windows Kernel and Media, Azure Kubernetes Service (AKS), Microsoft Office, Microsoft Outlook, Microsoft Word, Microsoft SQL Server, and the Windows HTTP Protocol Stack.

Cisco Talos has specifically highlighted four critical vulnerabilities that Microsoft has deemed "more likely" to be exploited. These include CVE-2026-42985, a heap-based buffer overflow in the Remote Desktop Client that could allow an unauthorized attacker to execute code remotely over a network. Another critical flaw, CVE-2026-47291, resides in the Windows HTTP Protocol Stack (http.sys) and is an integer overflow vulnerability. Attackers could exploit this by sending specially crafted packets to a targeted server.

Furthermore, Talos points to CVE-2026-44803 and CVE-2026-44812, both critical RCE vulnerabilities within the Windows Graphics component. These stem from integer overflows or wraparound issues in the Win32K – GRFX subsystem. Successful exploitation would allow an unauthorized attacker to execute malicious code locally on the affected system.

Beyond these four, Talos also draws attention to 23 other critical vulnerabilities that Microsoft classifies as "less likely" to be exploited, though still posing significant risks. These include multiple heap-based buffer overflows in the Windows Remote Desktop Client (CVE-2026-42992, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, and CVE-2026-48563). Exploiting these often requires an attacker to control a Remote Desktop Server and lure a victim into connecting to it.

Other notable critical vulnerabilities addressed include out-of-bounds reads in Windows Hyper-V (CVE-2026-45607, CVE-2026-45641, CVE-2026-47652), which could allow an authenticated attacker within a guest VM to execute code on the host. A use-after-free vulnerability in the Windows Kernel (CVE-2026-45657) and a heap-based buffer overflow in Windows Media (CVE-2026-48574) also present remote code execution risks.

The update also patches critical RCE vulnerabilities in Windows Deployment Services (CVE-2026-42987) due to a use-after-free flaw, and in the Windows DHCP Client (CVE-2026-44815) due to a stack-based buffer overflow. Additionally, several vulnerabilities in Microsoft Office applications, including Outlook and Word (CVE-2026-45456, CVE-2026-45458, CVE-2026-47635, CVE-2026-45461, CVE-2026-45463, CVE-2026-45472, and CVE-2026-45474), related to type confusion and use-after-free flaws, could allow local code execution, particularly when rendering emails in Outlook.

Microsoft's proactive patching efforts, detailed in this June 2026 Patch Tuesday, underscore the ongoing challenges in securing complex software environments. The sheer volume of critical vulnerabilities, especially those enabling remote code execution, highlights the persistent threat landscape and the critical importance of timely security updates for organizations worldwide.

Microsoft's June 2026 Patch Tuesday addressed approximately 200 vulnerabilities, with three specific flaws having been publicly disclosed prior to the release of patches. Among these, CVE-2026-49160 is a denial-of-service issue affecting Windows HTTP2/Bomb, CVE-2026-50507 is a Windows BitLocker security bypass, and CVE-2026-45586 is a Windows Collaborative Translation Framework privilege escalation bug. Microsoft has assessed all three publicly disclosed vulnerabilities as having a higher likelihood of exploitation.