News
Microsoft June Patch Tuesday Breaks Records, Includes 4 Zero-Day Fixes
Microsoft's June Patch Tuesday release is one of the largest in company history, but the bigger concern for enterprise IT teams is the handful of zero-days already known to attackers and researchers.
Microsoft this month addressed 198 CVEs, including 32 rated critical and 166 rated important. Zero Day Initiative put its count higher, at more than 200 Microsoft CVEs, noting that Microsoft's own tooling appeared to include some irregularities in the release data. Either way, June represents a record-setting month for administrators already dealing with a steady rise in Microsoft patch volume.
Four Zero-Day Holes Highlight June
The main focus, however, is on four zero-days: CVE-2026-41091, a Microsoft Defender elevation-of-privilege flaw; CVE-2026-49160, an HTTP.sys denial-of-service issue tied to the publicly disclosed HTTP/2 Bomb research; CVE-2026-50507, a Windows BitLocker security feature bypass; and CVE-2026-45586, a Windows Collaborative Translation Framework, or CTFMON, elevation-of-privilege vulnerability.
CVE-2026-41091 is the most urgent because it's already been exploited in the wild. The If gone unpatched, the hole could allow an authorized attacker to elevate privileges locally. Because Defender typically updates automatically, many orgs may already be protected, but isolated systems and environments that tightly control security intelligence or engine updates should verify coverage.
The remaining three zero-days were publicly disclosed before patches were available and haven't been seen being exploited in the wild -- yet. CVE-2026-49160 affects HTTP.sys and is rated important with a CVSS score of 7.5. It is a denial-of-service vulnerability in HTTP/2 handling that could allow an unauthenticated remote attacker to disrupt affected systems. Researchers have dubbed the broader technique HTTP/2 Bomb, and public technical details make the issue especially relevant for organizations running internet-facing services or high-availability internal web applications.
Mike Walters, president and co-founder of Action1, said the HTTP.sys issue should be treated as a business continuity risk, even though it is not a code execution flaw.
"Even without confirmed active exploitation, denial-of-service risk can quickly become a real business disruption for internet-facing or high-availability systems," Walters said.
CVE-2026-50507 is a Windows BitLocker security feature bypass rated important with a CVSS score of 6.8. Microsoft said exploitation requires physical access, but the issue is still notable because BitLocker is widely used to protect data on lost, stolen or unattended devices. Microsoft assessed exploitation as more likely.
The BitLocker flaw also appears to overlap with the recent Nightmare-Eclipse, also known as Chaotic Eclipse, disclosures that drew attention to potential bypasses affecting Windows recovery and encryption protections.
"While the attack requires physical access, the potential impact is significant because BitLocker is commonly relied upon to protect sensitive business and personal data when devices are lost, stolen, or accessed by unauthorized individuals," said Jack Bicer, director of vulnerability research at Action1.
The fourth zero-day, CVE-2026-45586, affects CTFMON, the Windows component tied to alternative text input services. It's an elevation-of-privilege vulnerability rated important with a CVSS score of 7.8. Successful exploitation could allow a local authenticated attacker to gain SYSTEM privileges, making it useful as part of a broader compromise chain.
Alex Vovk, CEO and co-founder of Action1, said the flaw deserves attention because privilege escalation bugs often turn an initial foothold into full endpoint control. "A low-privilege foothold can become full system control when Windows follows the wrong link at the wrong time," Vovk said.
Tyler Reguly, associate director of security research and development at Fortra, said the June release is notable not just for its size, but for what it may say about the current vulnerability research environment.
"If Patch Tuesday was all about the numbers, we'd be feeling the weight of this month's announcement -- 206 Microsoft CVEs, 362 non-Microsoft CVEs," Reguly said. "I would say that the list of 568 CVEs would be the longest ever listed on a Microsoft page, but the list was so long, they excluded the 360 Chrome CVEs."
Reguly also pointed to the likelihood that Microsoft's June release includes fixes for two of the recent Chaotic Eclipse disclosures.
"While not yet confirmed, the biggest news of the day will likely be that we appear to have fixes for two of Chaotic Eclipse's vulnerabilities – GreenPlasma (CVE-2026-45586) and YellowKey (CVE-2026-50507)," Reguly said.
RCE 'Critical' Updates Dominate Patch Tuesday
Beyond the zero-days, Microsoft's critical-rated updates include several issues that should be addressed as soon as possible (if auto patching is not enabled). Among the most serious are CVE-2026-47291, a Windows HTTP.sys remote code execution vulnerability with a CVSS score of 9.8, and CVE-2026-44815, a Windows DHCP Client remote code execution vulnerability, also rated 9.8. Both are concerning because they affect core Windows networking components.
"For June, CVE-2026-47291 (Windows HTTP.sys) should be of top priority because it allows unauthenticated attackers to remotely achieve full compromise without any user interaction, making it potentially wormable," said Amol Sarwate, head of security research and REDLab at Cohesity. "CVE-2026-44815 (Windows DHCP Client) falls in the same category as the DHCP Client runs on virtually every Windows endpoint, giving it an enormous attack surface."
Other critical fixes affect Remote Desktop Client, Windows Kernel, Windows Graphics, Hyper-V, Office, Outlook and Word, Microsoft Exchange Online, Azure Kubernetes Service, Azure HorizonDB, Microsoft 365 Copilot and Nuance PowerScribe. Several Remote Desktop Client vulnerabilities require a user to connect to a malicious RDP server, while Office and Outlook bugs are notable because Microsoft listed the Preview Pane as an attack vector for some flaws.
The volume also adds pressure to patch management teams. Satnam Narang, senior staff research engineer at Tenable, said the June release surpassed the previous Patch Tuesday record of 167 CVEs from October 2025 and reflects the growing role of AI-assisted vulnerability discovery.
"Pandora's proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday," Narang said.
Click here for the full list of June's security bulletins.