Microsoft Patch Tuesday, June 2026 Security Update Review
Every Patch Tuesday presents a race between defenders applying fixes and attackers seeking opportunities. Microsoft’s June 2026 release is no exception, delivering security updates for vulnerabilities that could significantly impact enterprise environments if left unaddressed.
This month’s release addresses 206 vulnerabilities, including 33 critical and 167 important-severity vulnerabilities.
In this month’s updates, Microsoft has addressed three publicly disclosed zero-day vulnerabilities.
There were also a massive 360 Microsoft Edge/Chromium vulnerabilities that were fixed by Google this month, which were excluded from this Patch Tuesday roundup.
Microsoft Patch Tuesday, June edition, includes updates for vulnerabilities in Microsoft Windows DNS, Windows Media, Windows NTFS, Windows Hyper-V, Windows BitLocker, Windows Bluetooth Port Driver, Windows Bluetooth Service, Windows Boot Manager, Microsoft Copilot, Microsoft Exchange Server, and more.
This month’s release includes fixes for several high-severity issues that could potentially enable remote code execution, privilege escalation, or denial-of-service attacks. As always, timely patch deployment is crucial to reduce exposure and ensure systems remain resilient against exploitation attempts.
The June 2026 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 27 | Important: 27 |
| Denial of Service Vulnerability | 7 | Important: 7 |
| Elevation of Privilege Vulnerability | 65 | Critical: 4 Important: 61 |
| Information Disclosure Vulnerability | 30 | Critical: 1 Important: 29 |
| Remote Code Execution Vulnerability | 55 | Critical: 28 Important: 23 |
| Security Feature Bypass Vulnerability | 19 | Important: 19 |
Zero-day Vulnerabilities Patched in June Patch Tuesday Edition
CVE-2026-49160: HTTP.sys Denial of Service Vulnerability
Uncontrolled resource consumption in HTTP/2 could allow an unauthenticated attacker to deny service over a network.
CVE-2026-45586: Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability
A link-following vulnerability in the Windows Collaborative Translation Framework could allow an authenticated attacker to elevate privileges locally. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-50507: Windows BitLocker Security Feature Bypass Vulnerability
A protection mechanism failure in Windows BitLocker may allow an unauthenticated attacker to bypass a security feature with a physical attack.
Critical Severity Vulnerabilities Patched in June Patch Tuesday Edition
CVE-2026-45461, CVE-2026-45463, CVE-2026-45472, & CVE-2026-45474: Microsoft Office Remote Code Execution Vulnerability
A heap-based buffer overflow vulnerability in Microsoft Office could allow an unauthenticated attacker to execute code remotely.
CVE-2026-26142: Nuance PowerScribe Remote Code Execution Vulnerability
Deserialization of untrusted data in Nuance PowerScribe may allow an unauthenticated attacker to execute code over a network.
CVE-2025-10263: ARM: CVE-2025-10263 Completion of affected memory accesses might not be guaranteed by completion of a TLBI [kernel]
An attacker could exploit the vulnerability by triggering a specific timing condition during a memory permission change, causing a memory write to be applied using outdated permissions. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-33828: Windows Device Health Attestation (DHA) Elevation of Privilege Vulnerability
Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-45456, CVE-2026-47635, & CVE-2026-45458: Microsoft Outlook and Word Remote Code Execution Vulnerability
A type confusion vulnerability in Microsoft Office may allow an unauthenticated attacker to achieve remote code execution.
CVE-2026-45460: Microsoft Office Information Disclosure Vulnerability
An out-of-bounds read vulnerability in Microsoft Office could allow an unauthenticated attacker to disclose information locally.
CVE-2026-45607, CVE-2026-47652, & CVE-2026-45641: Windows Hyper-V Remote Code Execution Vulnerability
An out-of-bounds read vulnerability in Windows Hyper-V could allow an unauthenticated attacker to execute code remotely.
CVE-2026-45648: Windows Active Directory Domain Services Remote Code Execution Vulnerability
A stack-based buffer overflow vulnerability in Active Directory Domain Services may allow an authenticated attacker to execute code remotely.
CVE-2026-45657: Windows Kernel Remote Code Execution Vulnerability
A use-after-free vulnerability in the Windows Kernel could allow an unauthenticated attacker to execute code remotely.
CVE-2026-47288: Windows Kerberos Key Distribution Center (KDC) Remote Code Execution Vulnerability
An integer overflow vulnerability in Windows Kerberos may allow an authenticated attacker to execute code over an adjacent network.
CVE-2026-47289, CVE-2026-47654, CVE-2026-42992, CVE-2026-44799, CVE-2026-44801, CVE-2026-42985, & CVE-2026-48563: Remote Desktop Client Remote Code Execution Vulnerability
A heap-based buffer overflow vulnerability in Remote Desktop Client may allow an unauthenticated attacker to execute code over a network.
CVE-2026-32193: Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability
A path traversal vulnerability in Microsoft Azure Kubernetes Service may allow an authenticated attacker to execute code locally.
CVE-2026-45476: Microsoft Azure Network Adapter Elevation of Privilege Vulnerability
A use-after-free vulnerability in the Linux MANA Driver allows an authenticated attacker to elevate local privileges.
CVE-2026-48574: Windows Media Remote Code Execution Vulnerability
A heap-based buffer overflow vulnerability in Windows Media may allow an unauthenticated attacker to execute code locally.
CVE-2026-44810: Microsoft Cryptographic Services Elevation of Privilege Vulnerability
An improper authentication vulnerability in Windows Cryptographic Services could allow an unauthorized attacker to elevate privileges locally.
CVE-2026-44815: DHCP Client Service Remote Code Execution Vulnerability
A stack-based buffer overflow vulnerability in Windows DHCP Client could allow an unauthenticated attacker to execute code over a network.
CVE-2026-42987: Windows Deployment Services (WDS) Remote Code Execution Vulnerability
A use-after-free in Windows Deployment Services could allow an unauthenticated attacker to execute code over a network.
CVE-2026-44803 & CVE-2026-44812: Windows Graphics Component Remote Code Execution Vulnerability
An integer overflow vulnerability in Windows Win32K – GRFX could allow an unauthenticated attacker to execute code locally.
CVE-2026-47291: HTTP.sys Remote Code Execution Vulnerability
An integer overflow vulnerability in Windows HTTP.sys may allow an unauthenticated attacker to execute code over a network.
Other Microsoft Vulnerability Highlights
- CVE-2026-45658 is a security feature bypass vulnerability in Windows BitLocker. An attacker may exploit the vulnerability to gain access to encrypted data.
- CVE-2026-47634 and CVE-2026-45481 are spoofing vulnerabilities in Microsoft SharePoint Server. The cross-site scripting vulnerability may allow an authenticated attacker to perform spoofing over a network.
- CVE-2026-42905 is an elevation of privilege vulnerability in Windows DWM Core Library. The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-42980 is an elevation of privilege vulnerability in the NT OS Kernel. An integer underflow vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-42986 is an elevation of privilege vulnerability in the Microsoft Graphics Component. The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-42989 is an elevation of privilege vulnerability in the Winlogon. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
- CVE-2026-50508 is a spoofing vulnerability in the Windows NTLM. Successful exploitation of the vulnerability may allow an unauthenticated attacker to perform network spoofing.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Nuance PowerScribe, Microsoft Azure Kubernetes Service, Microsoft Office SharePoint, Microsoft Azure Attestation Service and Device Health Attestation Service, Windows Ancillary Function Driver for WinSock, Microsoft Dynamics 365 (on-premises), Visual Studio Code, Windows Universal Disk Format File System Driver (UDFS), Microsoft Kinect, Azure Stack Edge, M365 Copilot, Windows Projected File System Filter Driver, Windows Administrator Protection, Microsoft Teams for Android, Function Discovery Service (fdwsd.dll), Microsoft PowerToys, Windows Kerberos, Windows TCP/IP, Windows DWM Core Library, Windows Shell, Windows RDP, Remote Desktop Client, Windows Hotpatch Monitoring Service, Windows Telephony Service, Windows NT OS Kernel, Windows Push Notifications, Role: Windows Hyper-V, Windows Performance Monitor, Windows Kernel, Microsoft Graphics Component, Windows Deployment Services, Winlogon, Windows Win32K – GRFX, Windows Network Controller (NC) Host Agent, Windows Common Log File System Driver, Windows Cryptographic Services, Windows DHCP Client, Microsoft Office Excel, Microsoft Office, Microsoft Office Word, Linux MANA Driver, GitHub Copilot and Visual Studio Code, Microsoft Office Project, Windows Program Compatibility Assistant Service, .NET, Windows Collaborative Translation Framework, Windows Secure Boot, ASP.NET Core, Windows Internet (wininet.dll), Windows SDK, Windows Application Identity (AppID) Subsystem, Windows Mark of the Web (MOTW), UI Automation Manager (uiamanager.dll), Universal Plug and Play (upnp.dll), Windows Kernel-Mode Drivers, Windows DHCP Server, Microsoft UxTheme Library (uxtheme.dll), Microsoft Live Share Canvas SDK, Microsoft Defender for Endpoint, Active Directory Domain Services, Office for Android, Microsoft Bing, Windows UEFI, Windows HTTP.sys, Microsoft Office Click-To-Run, Copilot Chat (Microsoft Edge), Windows Storage, Microsoft Graph, Windows Narrator Braille, Azure HorizonDB, Microsoft Exchange Online, HTTP/2, Microsoft PC Manager, and Windows NTLM.
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).
You can see all your impacted hosts by these vulnerabilities using the following QQL query:
vulnerabilities.vulnerability: ( qid: 110527 or qid: 110528 or qid: 50147 or qid: 92402 or qid: 92403 or qid: 92404 or qid: 92405 or qid: 92406 or qid: 92407 or qid: 92408 or qid: 92409 or qid: 92411 )
Rapid Response with TruRisk
Eliminate
Patch to the Latest Version
VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.
The following QQL will return the missing patches for this Patch Tuesday:
( qid: 110527 or qid: 110528 or qid: 50147 or qid: 92402 or qid: 92403 or qid: 92404 or qid: 92405 or qid: 92406 or qid: 92407 or qid: 92408 or qid: 92409 or qid: 92411 )
Mitigation: Reducing Risk Until Remediation
Not every team can patch immediately due to operational challenges. TruRisk Eliminate enables security teams to apply mitigation controls that immediately lower exposure and reduce the Qualys Detection Score (QDS).
As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 94 vulnerabilities: CVE-2026-47631, CVE-2026-45502, CVE-2026-45501, CVE-2026-45500, CVE-2026-45583, CVE-2026-45503, CVE-2026-45504, CVE-2026-47635, CVE-2026-45456, CVE-2026-45458, CVE-2026-45460, CVE-2026-45461, CVE-2026-45463, CVE-2026-45645, CVE-2026-45472, CVE-2026-45474, CVE-2026-47293, CVE-2026-44822, CVE-2026-45469, CVE-2026-45459, CVE-2026-44823, CVE-2026-44817, CVE-2026-44818, CVE-2026-44820, CVE-2026-45455, CVE-2026-45483, CVE-2026-47298, CVE-2026-45465, CVE-2026-47636, CVE-2026-47637, CVE-2026-47638, CVE-2026-45454, CVE-2026-47639, CVE-2026-47641, CVE-2026-45464, CVE-2026-45462, CVE-2026-33113, CVE-2026-47634, CVE-2026-45467, CVE-2026-45468, CVE-2026-45479, CVE-2026-48560, CVE-2026-45453, CVE-2026-48562, CVE-2026-47640, CVE-2026-45484, CVE-2026-45481, CVE-2026-44824, CVE-2026-45475, CVE-2026-45471, CVE-2026-45473, CVE-2026-45466, CVE-2026-45486, CVE-2026-45643, CVE-2026-44819, CVE-2026-44821, CVE-2026-45485, CVE-2026-45457, CVE-2020-17103, CVE-2026-47654, CVE-2026-42909, CVE-2026-42913, CVE-2026-42992, CVE-2026-47653, CVE-2026-44801, CVE-2026-44799, CVE-2026-48563, CVE-2026-42993, CVE-2026-47289, CVE-2026-42985, CVE-2026-45599, CVE-2026-45635, CVE-2026-45640, CVE-2026-45605, CVE-2026-47291, CVE-2026-47652, CVE-2026-45607, CVE-2026-45595, CVE-2026-48574, CVE-2026-45636, CVE-2026-42828, CVE-2026-42837, CVE-2026-42979, CVE-2026-42977, CVE-2026-42978, CVE-2026-42991, CVE-2026-42970, CVE-2026-42971, CVE-2026-42969, CVE-2026-42973, CVE-2026-42908, CVE-2026-45639, CVE-2026-42968, CVE-2026-42912.
For vulnerabilities in Windows services with local or remote exploitation vectors, our mitigants modify configuration by changing registry keys and, where applicable, service policy files. These mitigations work for affected components such as the Remote Access Connection Manager, Remote Desktop Services, Shell, Storage, Subsystem for Linux, Power Automate Desktop, Internet Explorer, Microsoft SharePoint, Microsoft Exchange Server, Graphics Component, Office Excel, Outlook, Word, Power BI, and Hyper-V. Additionally, this mitigant set addresses denial-of-service, elevation-of-privilege, remote code execution, and information disclosure risks in these core Windows subsystems.
Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set.
EVALUATE Vendor-Suggested Mitigation with Policy Audit (PA)
With Qualys Policy Audit’s Out-of-the-Box Mitigation or Compensatory Controls, which reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now, these security controls are not recommended by any industry standards, such as CIS or DISA-STIG.
Qualys Policy Audit team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best practice that exists in a default state and could reduce the severity of exploitation of a vulnerability.
A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Audit Control IDs (CIDs) and System Defined Controls (SDC) have been updated to support Microsoft-recommended mitigation(s) for this Patch Tuesday:
CVE-2026-44815: DHCP Client Service Remote Code Execution Vulnerability
This vulnerability has a CVSS:3.1 9.8 / 8.5
Policy Audit Control IDs (CIDs):
- 1264 Status of the ‘Dynamic Host Configuration Protocol (DHCP) Client’ service
The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:
control.id: [1264]
Visit the June 2026 Security Updates to access the full description of each vulnerability and the systems it affects.
Qualys customers can scan their networks using QIDs 110527, 110528, 50147, 92402, 92403, 92404, 92405, 92406, 92407, 92408, 92409, and 92411 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://msrc.microsoft.com/update-guide
https://msrc.microsoft.com/update-guide/releaseNote/2026-Jun
Comments are closed.