Microsoft Patch Tuesday June 2026: 1 Vulnerabilities Fixed

Microsoft has released its June 2026 Patch Tuesday security updates, fixing 198 vulnerabilities across its product ecosystem.

The June rollout, published on June 9, 2026, stands out not only for its volume but also for the inclusion of three zero-day vulnerabilities that were actively exploited or publicly known before a fix was available.

Administrators are urged to prioritize deployment, as customer action is required for every CVE in this cycle.

3 Zero-Days Patched

CVE-2026-50507 is a Windows BitLocker Security Feature Bypass rated Important. A successful bypass could allow an attacker with physical or local access to circumvent BitLocker’s full-disk encryption protections, undermining a control that many organizations treat as a last line of defense for lost or stolen devices.

CVE-2026-49160 is an HTTP.sys Denial of Service vulnerability affecting the HTTP/2 stack, also rated Important. Because HTTP.sys sits beneath IIS and other Windows networking services, a crafted request stream could knock exposed web-facing servers offline, making this a priority for internet-facing infrastructure.

The third zero-day, CVE-2026-45586, rounds out the trio of pre-disclosure flaws Microsoft confirmed were known to attackers ahead of patch availability. Together, the three underscore a recurring theme: encryption bypass, service disruption, and boot-path integrity remain favorite targets.

Critical RCE Vulnerabilities patched

Beyond the zero-days, this cycle contains 54 RCE vulnerabilities, of which a notable subset is rated Critical.

Remote Desktop Client received the most concentrated cluster of RCE patches, with 11 total CVEs, including Critical-rated CVE-2026-44801, CVE-2026-44799, CVE-2026-42992, and CVE-2026-42985.

Windows Hyper-V was also significantly impacted by Critical RCE vulnerabilities CVE-2026-47652, CVE-2026-45641, and CVE-2026-45607 all capable of allowing VM guest escape and code execution on the host.

Other Critical RCE highlights include:

• CVE-2026-47291 – HTTP.sys Remote Code Execution
• CVE-2026-47288 – Windows Kerberos KDC RCE (critical for Active Directory infrastructure)
• CVE-2026-45648 – Active Directory Domain Services RCE
• CVE-2026-32193 – Azure Kubernetes Service (AKS) RCE
• CVE-2026-26142 – Nuance PowerScribe RCE (healthcare environments)

Microsoft Office also shipped several Critical RCE patches, CVE-2026-45458 and CVE-2026-45456 (Outlook and Word), CVE-2026-45474, and CVE-2026-45472 all exploitable via malicious document delivery.

With 63 EoP vulnerabilities, privilege escalation dominates this patch cycle. Key components affected include Windows DWM Core Library (11 EoP CVEs), Windows Ancillary Function Driver for WinSock (7 CVEs), Windows Push Notifications (4 CVEs), and the Windows Kernel (CVE-2026-48583, CVE-2026-45653).

The Critical-rated Microsoft Cryptographic Services EoP (CVE-2026-44810) is particularly notable as it targets a foundational security subsystem. These EoP flaws are frequently chained with initial access exploits in multi-stage attack scenarios to gain SYSTEM-level control.

Windows Secure Boot received 8 Security Feature Bypass patches this month, continuing a trend of attacker investment in undermining pre-OS boot integrity.

Given three actively known zero-days and multiple Critical RCEs, security teams should test and deploy this month’s updates without delay, prioritizing BitLocker, HTTP.sys, Remote Desktop, and Hyper-V hosts. Where immediate patching is not possible, network segmentation and restricting RDP exposure can reduce risk until updates are applied.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.