Three Zero-Days, 206 Flaws Fixed: Microsoft Delivers Record-Breaking June 2026 Patch Tuesday

In total, Microsoft addressed 206 vulnerabilities, including three publicly disclosed zero-day vulnerabilities. The update includes 33 Critical vulnerabilities, with a heavy concentration of remote code execution (RCE) and elevation of privilege flaws that could significantly impact enterprise environments if left unpatched. Additionally, Microsoft Edge incorporated fixes for approximately 360 Chromium-related vulnerabilities released by Google.

The June release includes vulnerabilities spanning privilege escalation, remote code execution, information disclosure, spoofing, denial-of-service, and security feature bypass categories, reinforcing the need for rapid patch deployment across endpoints, servers, cloud workloads, and hybrid infrastructures.

Microsoft's June 2026 Patch Tuesday addressed three publicly disclosed zero-day vulnerabilities. Although Microsoft did not report active exploitation at release, public disclosure substantially increases the likelihood of near-term exploitation attempts.

1. CVE-2026-49160 — HTTP.sys Denial of Service Vulnerability (Publicly Disclosed)

This vulnerability affects the Windows HTTP protocol stack (HTTP.sys) and results from uncontrolled resource consumption in HTTP/2 processing. An unauthenticated attacker can exploit the flaw remotely by sending specially crafted network requests that exhaust system resources and trigger a denial-of-service condition. Because HTTP.sys is used extensively across Windows Server environments, web services, and enterprise applications, successful exploitation could disrupt critical business services and infrastructure. Organizations exposing HTTP-based services should prioritize patching affected systems.

2. CVE-2026-45586 — Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability (Publicly Disclosed)

This elevation-of-privilege vulnerability exists within the Windows Collaborative Translation Framework and involves improper handling of link-following operations. An authenticated attacker with local access can exploit the flaw to obtain SYSTEM-level privileges. The vulnerability is particularly dangerous in post-compromise scenarios, where attackers can leverage it to gain complete control of affected systems, disable security controls, and establish persistence.

3. CVE-2026-50507 — Windows BitLocker Security Feature Bypass Vulnerability (Publicly Disclosed)

This vulnerability impacts Windows BitLocker and allows attackers with physical access to bypass encryption-related security protections. The flaw stems from a failure in BitLocker's protection mechanisms and could potentially enable unauthorized access to encrypted data. Organizations relying on BitLocker to protect sensitive information on laptops and portable devices should prioritize patch deployment and verify physical security controls.

1. CVE-2026-47291 — HTTP.sys Remote Code Execution Vulnerability (Critical)

This vulnerability affects the Windows HTTP protocol stack (HTTP.sys). A remote attacker can exploit the flaw by sending specially crafted requests to a vulnerable system, potentially leading to arbitrary code execution. Systems exposing web services are at increased risk and should be patched immediately

2. CVE-2026-44815 — DHCP Client Service Remote Code Execution Vulnerability (Critical)

A remote code execution vulnerability in the Windows DHCP Client Service could allow an attacker to execute arbitrary code on affected systems through specially crafted network traffic. Successful exploitation may result in complete system compromise.

3. CVE-2026-45641 — Windows Hyper-V Remote Code Execution Vulnerability (Critical)

This vulnerability impacts Windows Hyper-V and could allow an attacker to execute code within the virtualization environment. Organizations running virtualized workloads should prioritize patching to prevent potential compromise of guest or host systems.

4. CVE-2026-45458 — Microsoft Outlook and Word Remote Code Execution Vulnerability (Critical)

A specially crafted document or email content can trigger remote code execution when processed by Microsoft Outlook or Word. The vulnerability presents a significant phishing risk for enterprise users.

5. CVE-2026-45648 — Windows Active Directory Domain Services Remote Code Execution Vulnerability (Critical)

This flaw affects Active Directory Domain Services and could allow remote code execution on vulnerable domain infrastructure. Successful exploitation may impact authentication services and broader enterprise environments.

6. CVE-2026-32193 — Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability (Critical)

A critical vulnerability in Azure Kubernetes Service could allow attackers to execute code within affected cloud environments. Organizations utilizing AKS should apply updates promptly to reduce the risk of cloud workload compromise.

The June 2026 Microsoft Patch Tuesday update addressed an exceptionally broad set of products and components, covering over 200 vulnerabilities across the Microsoft ecosystem, including multiple actively exploited zero-days.

• Core Windows operating system (client and server editions)
• Windows kernel and privilege escalation components, including memory management and security boundary enforcement layers
• Windows Cloud Files Mini Filter Driver and related filesystem drivers, with at least one actively exploited elevation-of-privilege vulnerability
• Microsoft Edge (Chromium-based browser) as part of the monthly security update rollup
• Windows networking stack and authentication services, including RPC and LDAP-related components
• Microsoft Defender and security tooling components, impacted by bypass and elevation issues
• Office productivity suite components, including Office scripting and document parsing vulnerabilities

• Prioritize patch deployment immediately: The presence of multiple zero-days, including those affecting Windows kernel and file system drivers, increases the risk of active exploitation and privilege escalation attacks.
• Ensure full enterprise-wide coverage: All Windows endpoints, servers, virtual machines, and cloud instances must be updated due to the wide range of affected subsystems.
• Monitor privileged activity closely: Focus on unusual escalation attempts, token manipulation, and suspicious driver or service interactions following exploitation paths.
• Audit systems relying on filter drivers and file sync services: Components like Cloud Files and related storage filters may impact enterprise file-sharing and sync workflows.
• Review browser and Office attack surface: Ensure Edge and Office are fully patched, as both remain common initial access vectors for phishing and document-based exploitation.
• Strengthen defense-in-depth controls: Apply least privilege, endpoint detection and response (EDR) monitoring, and logging for kernel and authentication anomalies, as patching alone does not eliminate post-exploitation risk.

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.