Back

Microsoft June 2026 Patch Tuesday: Record 206 Vulnerabilities Addressed

Severity: High (Score: 70.5)

Sources: Blog.Talosintelligence, Securityaffairs.Co, www.zerodayinitiative.com, Cyberscoop, Myabt

Published: 2026-06-09 · Updated: 2026-06-10

Keywords: microsoft, june, patch, tuesday, vulnerabilities, copilot, security

Severity indicators: vulnerabilities, ot

Summary

On June 9, 2026, Microsoft released its largest Patch Tuesday update, addressing 206 vulnerabilities, including three zero-day flaws. Among the critical vulnerabilities, 32 were rated as critical, with 28 classified as remote code execution (RCE) vulnerabilities. The update included CVE-2026-47291, an RCE flaw in HTTP.sys, rated CVSS 9.8, and CVE-2026-45586, an elevation of privilege vulnerability in Windows CTFMON. Microsoft confirmed that none of the vulnerabilities are currently exploited in the wild, but the sheer volume of flaws indicates a significant uptick in vulnerability discovery, likely driven by AI tools. The update also featured patches for vulnerabilities affecting various Microsoft products, including Windows, Office, and Azure services. Security professionals are urged to prioritize patching due to the high number of critical vulnerabilities and the potential for exploitation. Key Points: • Microsoft's June 2026 Patch Tuesday addressed a record 206 vulnerabilities, including three zero-days. • 32 vulnerabilities were classified as critical, with significant RCE flaws like CVE-2026-47291 rated CVSS 9.8. • The increase in vulnerabilities is attributed to AI tools accelerating vulnerability discovery.

Detailed Analysis

**Impact** The June 2026 Patch Tuesday affects a broad range of Microsoft products including Windows (10 and 11), Office, Exchange, Azure, Hyper-V, Defender, BitLocker, and Microsoft 365 cloud services. A record 206 vulnerabilities were addressed, including 38 critical flaws and three publicly disclosed zero-days, with no confirmed active exploitation at release. Financial institutions using Microsoft 365 Copilot and Exchange Online are impacted by cloud-based vulnerabilities, while enterprises globally face risks from remote code execution and privilege escalation vulnerabilities that could lead to full system compromise and data exposure. **Technical Details** The vulnerabilities include 54 remote code execution (RCE) and 66 elevation of privilege (EoP) flaws, with key CVEs such as CVE-2026-47291 (HTTP.sys RCE), CVE-2026-45586 (CTFMON EoP), and CVE-2026-50507 (BitLocker security bypass). Attack vectors range from network-based exploitation (e.g., HTTP/2 and HTTP/3 header compression attacks) to local privilege escalation via improper link resolution. The kill chain stages impacted include initial access, privilege escalation, lateral movement, and security feature bypass. Proof-of-concept code has been publicly released for some vulnerabilities by the researcher known as Nightmare Eclipse. Indicators of compromise (IOCs) were not detailed in the sources. **Recommended Response** Apply all June 2026 Patch Tuesday updates immediately, prioritizing patches for CVE-2026-47291, CVE-2026-45586, CVE-2026-50507, and CVE-2026-41091 due to their criticality and likelihood of exploitation. Configure the new MaxHeadersCount registry setting to limit HTTP/2 and HTTP/3 request headers to mitigate denial-of-service attacks. Monitor for unusual privilege escalations and suspicious activity targeting Microsoft Defender components and Remote Desktop Services. For cloud services like Microsoft 365 Copilot and Exchange Online, enhance tenant monitoring and governance controls, as no customer-side patches are required.

Source articles (32)

  • Microsoft 365 Copilot RCE: June 2026 Bank Security Guide — Myabt · 2026-06-08
    Microsoft 365 Copilot now sits inside the daily workflow of loan officers, underwriters, and compliance teams at the institutions that rolled it out over the past year. So when Microsoft disclosed a r…
  • Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507) — Tenable · 2026-06-09
    Microsoft addresses 198 CVEs in the largest Patch Tuesday release, including three zero-days. Microsoft patched 198 CVEs in its June 2026 Patch Tuesday release, with 32 rated critical and 166 rated as…
  • Microsoft smashes record for biggest ever Patch Tuesday update — Computerweekly · 2026-06-09
    Microsoft has issued patches for 200 flaws in its latest monthly Patch Tuesday drop, blasting past a record high of almost 170 common vulnerabilities and exposures (CVEs) set in October 2025 . Among a…
  • Microsoft Patch Tuesday June 2026 – 198 Vulnerabilities Fixed, Including 3 Zero — Cybersecuritynews · 2026-06-09
    Microsoft has released its June 2026 Patch Tuesday security updates, addressing a hefty 198 vulnerabilities across its product ecosystem. The June rollout, published on June 9, 2026, stands out not on…
  • Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th) — Isc.Sans.Edu · 2026-06-09
    Microsoft today released patches for 204 vulnerabilities. 38 of these vulnerabilities are considered critical, and three have been disclosed before today. Six of the vulnerabilities affect Microsoft c…
  • Critical Patches Issued for Microsoft Products, June 9, 2026 — Cisecurity · 2026-06-09
    Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities…
  • Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws — Bleepingcomputer · 2026-06-09
    Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws and three publicly disclosed zero-day vulnerabilities. This Patch Tuesday addresses 33 "Critical" vulnerabilities, 28…
  • Control The Maximum Number Of Http 2 And Http 3 Request Headers In Windows Clients And Servers 084da156 7a99 4abf B759 F973c35eded3 — support.microsoft.com · 2026-06-09
    HTTP headers are name-value pairs included in HTTP requests and responses. In Windows environments, client components such as WinHTTP and WinINet, and server components such as IIS, use headers to exc…
  • Microsoft breaks Patch Tuesday record with 206 vulnerabilities — Cyberscoop · 2026-06-09
    Microsoft addressed a whopping 206 vulnerabilities lurking in its vast portfolio of business products and foundational systems in this month’s Patch Tuesday update , marking the vendor’s largest month…
  • Microsoft Patches 200 Flaws Including Three Zero-Days — Aiweekly.Co · 2026-06-09
    Names this as the largest Patch Tuesday ever ( record: 167 CVEs), attributes zero-days to specific researchers, and ties CVEs to CISA KEV catalog and PoC availability for triage. Frames the CVE surge…
  • Microsoft Patch Tuesday for June 2026 — Blog.Talosintelligence · 2026-06-09
    Microsoft has released its monthly security update for June 2026, which includes 206 vulnerabilities affecting a range of products, including 32 that Microsoft marked as “critical”. Out of 32 "critica…
  • Microsoft addresses 200 vulnerabilities in June 2026 Patch Tuesday updates — Feeds.4Sysops · 2026-06-09
    Microsoft has released the June 2026 Patch Tuesday updates, addressing approximately 200 vulnerabilities across its product ecosystem. While none of these flaws are currently known to be exploited in…
  • Patch Tuesday June 2026: 211 Fixes, Critical CVEs — Absolute · 2026-06-09
    June 2026 Patch Tuesday is the largest ever, with 211 fixes and 37 critical vulnerabilities. Discover the key CVEs, attack chain risks, and how to prioritize patching for enterprise resilience. June’s…
  • Blame AI: Patch Tuesday Hits Record 206 CVEs — Darkreading · 2026-06-09
    Voluminous patch updates could soon be the norm, as artificial intelligence accelerates the speed and scale of vulnerability discovery. Microsoft's June 2026 Patch Tuesday update with fixes for a reco…
  • Microsoft addresses three publicly disclosed flaws in June 2026 security updates — Feeds.4Sysops · 2026-06-09
    Microsoft has released its June 2026 servicing updates for .NET and the .NET Framework to address critical security vulnerabilities. These updates are part of a broader Patch Tuesday rollout that fixe…
  • A Record — Feeds.Feedburner · 2026-06-09
    Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company's monthly Patch Tuesda…
  • AI is making Patch Tuesday (kinda) fun again — Theregister · 2026-06-09
    Microsoft set a record with its June Patch Tuesday release, addressing 206 CVEs across its products and shipping fixes for them, with 38 deemed critical and the rest important. Three are listed as pub…
  • Microsoft Releases Record — Securityaffairs.Co · 2026-06-09
    Microsoft Patch Tuesday security updates for June 2026 fix a record 208 CVEs, including one actively exploited zero-day and multiple critical RCE flaws. Microsoft Patch Tuesday security updates for Ju…
  • Patch Tuesday - June 2026 — Rapid7 · 2026-06-09
    Microsoft is publishing 200 vulnerabilities on June 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild for any of these vulnerabilities, and is aware of public disclosure for thre…
  • CVE-2026-45586 - Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability — msrc.microsoft.com · 2026-06-09
  • CVE-2026-49160 - HTTP.sys Denial of Service Vulnerability — msrc.microsoft.com · 2026-06-09
  • CVE-2026-50507 — msrc.microsoft.com · 2026-06-09
  • CVE-2026-49160 — msrc.microsoft.com · 2026-06-09
  • Patch Tuesday update — msrc.microsoft.com · 2026-06-09
  • CVE-2026-45586 — msrc.microsoft.com · 2026-06-09

Timeline

  • 2026-04-14 — CVE-2026-33825 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-19 — CVE-2026-45585 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-45498 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-41091 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-45497 published: A remote code execution vulnerability in Microsoft 365 Copilot was disclosed, rated CVSS 7.7.
  • 2026-06-04 — CVE-2026-47644 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-42824 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — Public exploit for CVE-2026-49975 released: A proof-of-concept exploit appeared on GitHub, lowering the barrier for opportunistic attackers.
  • 2026-06-04 — CVE-2026-47655 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-48579 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2025-10263
  • CVE-2026-26142
  • CVE-2026-32193
  • CVE-2026-33825
  • CVE-2026-33828
  • CVE-2026-41091
  • CVE-2026-42824
  • CVE-2026-42902
  • CVE-2026-42909
  • CVE-2026-42913
  • CVE-2026-42985
  • CVE-2026-42987
  • CVE-2026-42992
  • CVE-2026-42993
  • CVE-2026-44799
  • CVE-2026-44801
  • CVE-2026-44803
  • CVE-2026-44810
  • CVE-2026-44812
  • CVE-2026-44815
  • CVE-2026-45456
  • CVE-2026-45458
  • CVE-2026-45460
  • CVE-2026-45461
  • CVE-2026-45463
  • CVE-2026-45472
  • CVE-2026-45474
  • CVE-2026-45476
  • CVE-2026-45497
  • CVE-2026-45498

Related entities

  • Chaotic Eclipse (Apt Group)
  • Nightmare Eclipse (Apt Group)
  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Denial-of-Service (Attack Type)
  • Denial of Service (Attack Type)
  • Elevation Of Privilege (Attack Type)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Remote Code Execution (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Microsoft (Company)
  • Nuance (Company)
  • Azure (Company)
  • Outlook (Company)
  • CWE-120 - Classic Buffer Overflow (Cwe)
  • Cwe-122 - Heap-based Buffer Overflow (Cwe)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-22 - Path Traversal (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-400 - Uncontrolled Resource Consumption (Cwe)
  • Cwe-416 - Use After Free (Cwe)
  • Cwe-476 - NULL Pointer Dereference (Cwe)
  • Cwe-502 - Deserialization Of Untrusted Data (Cwe)
  • Cwe-601 - Open Redirect (Cwe)
  • Cwe-611 - Improper Restriction Of XML External Entity Reference (xxe) (Cwe)
  • CWE-78 - OS Command Injection (Cwe)
  • CWE-798 - Use of Hard-coded Credentials (Cwe)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • Cwe-843 - Type Confusion (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • Cwe-89 - SQL Injection (Cwe)
  • Cwe-918 - Server-Side Request Forgery (ssrf) (Cwe)
  • CWE-94 - Code Injection (Cwe)
  • calif.io (Domain)
  • cve-2026-42902.it (Domain)
  • here.as (Domain)
  • sans.edu (Domain)
  • Financial (Industry)
  • Healthcare (Industry)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • T1499 - Endpoint Denial of Service (Mitre Attack)
  • Active Directory Domain Services (Platform)
  • Apache (Platform)
  • Azure HorizonDB (Platform)
  • Azure Kubernetes Service (Platform)
  • BitLocker (Platform)
  • Chromium (Platform)
  • Copilot (Platform)
  • Copilot Chat (Platform)
  • Ctfmon (Platform)
  • Defender (Platform)
  • Device Health Attestation (Platform)
  • DHCP Client (Platform)
  • Edge (Platform)
  • Exchange (Platform)
  • Exchange Online (Platform)
  • HTTP/2 (Platform)
  • Http/3 (Platform)
  • HTTP.sys (Platform)
  • Hyper-V (Platform)
  • IIS (Platform)
  • Linux (Platform)
  • Microsoft 365 Copilot (Platform)
  • Microsoft Defender (Platform)
  • Microsoft Edge (Platform)
  • Microsoft Entra ID (Platform)
  • Microsoft Graph (Platform)
  • Microsoft M365 Copilot (Platform)
  • Microsoft Office (Platform)
  • Microsoft Outlook (Platform)
  • Microsoft SQL Server (Platform)
  • Microsoft Word (Platform)
  • Nuance PowerScribe (Platform)
  • Office (Platform)
  • PowerScribe (Platform)
  • Secure Boot (Platform)
  • SharePoint (Platform)
  • SQL Server (Platform)
  • TPM (Platform)
  • Visual Studio Code (Platform)
  • Windows (Platform)
  • Windows 11 (Platform)
  • Windows 11 24H2 (Platform)
  • Windows 11 25H2 (Platform)
  • Windows Active Directory (Platform)
  • Windows Deployment Services (Platform)
  • Windows Graphics Component (Platform)
  • Windows HTTP Protocol Stack (Platform)
  • Windows Hyper-V (Platform)
  • Windows Kerberos Key Distribution Center (Platform)
  • Windows Kernel (Platform)
  • Google Chrome (Tool)
  • Nginx (Tool)
  • Remote Desktop (Tool)
  • DeepSeek V4 (Tool)
  • GPT 5.5 (Tool)
  • OpenAI Codex (Tool)
  • BitLocker Bypass (Vulnerability)
  • Bitskrieg (Vulnerability)
  • BlueHammer (Vulnerability)
  • Ctfmon Privilege Escalation (Vulnerability)
  • GreenPlasma (Vulnerability)
  • Http/2 Bomb (Vulnerability)
  • HTTP.sys Denial Of Service Vulnerability (Vulnerability)
  • Hyper-V VM Escape (Vulnerability)
  • Kerberos KDC RCE (Vulnerability)
  • MiniPlasma (Vulnerability)
  • RedSun (Vulnerability)
  • RoguePlanet (Vulnerability)
  • UnDefend (Vulnerability)
  • Windows BitLocker Security Feature Bypass Vulnerability (Vulnerability)
  • Windows Collaborative Translation Framework (ctfmon) Elevation Of Privilege Vulnerability (Vulnerability)
  • YellowKey (Vulnerability)
  • YellowKey Vulnerability (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed