Pierluigi Paganini
June 09, 2026
Microsoft Patch Tuesday security updates for June 2026 mark a record. Microsoft shipped fixes for 208 CVEs across Windows, Office, Azure, Exchange, Hyper-V, Secure Boot, BitLocker, and a range of AI tooling. Add in Chromium and third-party components bundled in Microsoft products and the total lands at 571 CVEs for the month.
“I’ve been counting CVEs on Patch Tuesday since 2017, and this is by far the largest monthly release in that time.” reads the report published by ZDI. “The previous record was 177 set last year.”
To put that in context, the total CVE count Microsoft has shipped in 2026 so far already exceeds everything shipped in all of 2018.
One bug, tracked as CVE-2026-41091, is confirmed under active exploitation. Three others were publicly known before today’s patches dropped. All four should be at the top of your list.
Below are the descriptions of some of the most interesting issues addressed with Microsoft Patch Tuesday security updates for June 2026.
CVE-2026-41091 (CVSS score of 7.8) – Microsoft Defender Elevation of Privilege Vulnerability. Multiple researchers were credited for this one, which typically signals active exploitation from more than one source. The practical upside: Defender updates itself, so most users don’t need to do anything manually. If you’ve disabled automatic updates or run in an isolated environment, push the latest version now.
CVE-2026-45657 (CVSS score of 9.8) – Windows Kernel Remote Code Execution Vulnerability. A remote, unauthenticated attacker can run code at SYSTEM level with no user interaction, through a flaw in how the kernel handles TCP/IP. That’s wormable. Microsoft called it “Exploitation Less Likely,” but every security researcher with a disassembler is reversing this patch right now. Test fast, deploy faster.
CVE-2026-47291 (CVSS score of 9.8) – HTTP.sys Remote Code Execution Vulnerability. Another critical issue, same profile: remote, unauthenticated, no user interaction required. There’s one important nuance: systems using the default MaxRequestBytes registry value are not affected. Microsoft has marked this “Exploitation More Likely,” so check your registry settings today. The bulletin includes both manual instructions and a PowerShell script to apply the mitigation while you prepare the patch.
CVE-2026-44815 (CVSS score of 9.8) – DHCP Client Service Remote Code Execution Vulnerability. the write-up contradicts itself: the score says no authentication required, the text says “authenticated user.” When the documentation conflicts, trust the CVSS. If that’s right, a remote unauthenticated attacker can execute code with no user interaction. The DHCP client runs on every Windows installation, which makes this a high-value target. Prioritize testing and deployment.
Three publicly known bugs round out the priority list. CVE-2026-49160 is an HTTP.sys denial-of-service tied to the HTTP/2 Bomb technique. CVE-2026-45586 is a privilege escalation in the Windows Collaborative Translation Framework that can reach SYSTEM. CVE-2026-50507 is a BitLocker bypass requiring physical access, and if you’ve followed the ongoing conflict between researcher Nightmare Eclipse and Microsoft’s security response team, it’s a fix for “YellowKey.” A companion patch, CVE-2026-45585, appears to cover “GreenPlasma.” The researcher has threatened a “bone shattering” new exploit drop on June 14.
Ten Secure Boot patches this month carry what CVSS calls “scope change,” meaning exploitation pushes past the vulnerable component into boot integrity, Virtual Secure Mode, and pre-OS execution. The bulk are credited to Alon Leviev, whose BootKitty and BlackLotus-adjacent research is well known. Two UEFI Secure Boot bugs go deeper still: local admin or physical access is required, but success means running untrusted code before the OS loads. Rootkit territory.
The volume of this release raises a question ZDI’s Dustin Childs asks directly: “Is this the new normal? The last two months were also large releases. Should sysadmins adjust their processes for prioritization and patch deployment based on this new volume of updates?”
Microsoft isn’t answering. July 14 is next, and it typically arrives heavy ahead of Black Hat and DEF CON. Plan accordingly.
The full list of CVEs addressed by Microsoft is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Patch Tuesday)
