Microsoft Patch Tuesday June 2026: 198 Vulnerabilities Fixed, Including Three Actively Exploited Zero-Days
Microsoft's June 2026 Patch Tuesday addresses 198 vulnerabilities, notably including three zero-days that were actively exploited in the wild.
Microsoft has released its June 2026 Patch Tuesday security updates, tackling a substantial 198 vulnerabilities across its product ecosystem. The June rollout, published on June 9, 2026, is particularly significant due to the inclusion of three zero-day vulnerabilities that were either actively exploited or publicly known before a fix was available. Security administrators are strongly urged to prioritize the deployment of these patches, as customer action is required for every CVE addressed in this cycle.
The vulnerabilities patched span various categories, with the largest counts in Elevation of Privilege (63), Remote Code Execution (54), Spoofing (27), Information Disclosure (26), Security Feature Bypass (18), and Denial of Service (7). The total number of vulnerabilities fixed stands at 198.
Among the most critical are three zero-day flaws. CVE-2026-50507 is a Windows BitLocker Security Feature Bypass, rated Important. Successful exploitation could allow an attacker with physical or local access to circumvent BitLocker's full-disk encryption, compromising data security on lost or stolen devices. CVE-2026-49160 is an HTTP.sys Denial of Service vulnerability affecting the HTTP/2 stack, also rated Important. This flaw could enable attackers to take internet-facing servers offline by sending crafted requests.
The third zero-day, CVE-2026-45586, rounds out the trio of pre-disclosure flaws confirmed by Microsoft to be known to attackers before a patch was ready. These three vulnerabilities highlight persistent attacker interests in compromising encryption, disrupting services, and undermining boot-path integrity.
Beyond the zero-days, this cycle includes 54 Remote Code Execution (RCE) vulnerabilities, with a significant number rated Critical. The Remote Desktop Client alone received 11 RCE patches, including critical flaws like CVE-2026-44801 and CVE-2026-44799. Windows Hyper-V was also heavily impacted by Critical RCE vulnerabilities such as CVE-2026-47652, which could allow for VM guest escape and code execution on the host system. Other notable Critical RCEs include issues in HTTP.sys, Windows Kerberos KDC, Active Directory Domain Services, Azure Kubernetes Service, and Nuance PowerScribe.
Microsoft Office also saw several Critical RCE patches, with vulnerabilities in Outlook and Word (CVE-2026-45458, CVE-2026-45456, CVE-2026-45474, CVE-2026-45472) being exploitable via malicious document delivery. Privilege escalation is a dominant theme this month, with 63 Elevation of Privilege (EoP) vulnerabilities patched. Key components affected include the Windows DWM Core Library, Windows Ancillary Function Driver for WinSock, Windows Push Notifications, and the Windows Kernel. The Critical-rated Microsoft Cryptographic Services EoP (CVE-2026-44810) is particularly concerning as it targets a fundamental security subsystem.
Furthermore, Windows Secure Boot received eight Security Feature Bypass patches, continuing a trend of attackers targeting pre-OS boot integrity. Given the presence of three actively known zero-days and numerous Critical RCEs, security teams must prioritize testing and deploying these updates without delay. Immediate focus should be placed on systems running BitLocker, HTTP.sys, Remote Desktop, and Hyper-V. For organizations unable to patch immediately, network segmentation and restricting RDP exposure are recommended mitigation strategies until updates can be applied.
Microsoft's June 2026 Patch Tuesday addresses a total of 200 vulnerabilities, an increase from the 198 initially reported. Among these are three publicly disclosed zero-day flaws, including CVE-2026-45586 (Windows CTFMON Elevation of Privilege), CVE-2026-49160 (HTTP.sys Denial of Service), and CVE-2026-50507 (Windows BitLocker Security Feature Bypass), though none are confirmed to have been actively exploited in the wild. The update also includes fixes for 33 critical vulnerabilities, with a significant portion enabling remote code execution.
This latest report from Tenable Blog details Microsoft's June 2026 Patch Tuesday, which has set a new record by addressing a staggering 198 CVEs. Among these are 32 critical and 166 important vulnerabilities, surpassing previous release sizes. Notably, the update includes patches for CVE-2026-50507, a Windows BitLocker security feature bypass, and CVE-2026-49160, an HTTP.sys denial-of-service flaw affecting HTTP/2, both of which were publicly disclosed prior to patching.