Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507)

32Critical166Important0Moderate0LowMicrosoft addresses 198 CVEs in the largest Patch Tuesday release, including three zero-days.Microsoft patched 198 CVEs in its June 2026 Patch Tuesday release, with 32 rated critical and 166 rated as important. Our counts omitted 6 CVEs that were already addressed by Microsoft via servicing and do not require additional customer action to resolve as well as 2 CVEs that were disclosed by other CNAs (CVE-2025-10263 and CVE-2026-8863). This Patch Tuesday release is the largest release since the Patch Tuesday program began, smashing the previous record of 167 CVEs in the October 2025 Patch Tuesday release.This month’s update includes patches for:.NETASP.NET CoreActive Directory Domain ServicesAzure HorizonDBAzure Stack EdgeCopilot Chat (Microsoft Edge)Function Discovery Service (fdwsd.dll)GitHub Copilot and Visual Studio CodeHTTP/2Linux MANA DriverM365 CopilotMicrosoft Azure Attestation service and Device Health Attestation ServiceMicrosoft Azure Kubernetes ServiceMicrosoft BingMicrosoft CopilotMicrosoft Defender for EndpointMicrosoft Dynamics 365 (on-premises)Microsoft Exchange OnlineMicrosoft Exchange ServerMicrosoft GraphMicrosoft Graphics ComponentMicrosoft KinectMicrosoft Live Share Canvas SDKMicrosoft OfficeMicrosoft Office Click-To-RunMicrosoft Office ExcelMicrosoft Office ProjectMicrosoft Office SharePointMicrosoft Office WordMicrosoft PC ManagerMicrosoft PowerToysMicrosoft Teams for AndroidMicrosoft UxTheme Library (uxtheme.dll)Microsoft Windows DNSNuance PowerScribeOffice for AndroidRemote Desktop ClientRole: Windows Hyper-VUI Automation Manager (uiamanager.dll)Universal Plug and Play (upnp.dll)Visual Studio CodeWindows Administrator ProtectionWindows Ancillary Function Driver for WinSockWindows Application Identity (AppID) SubsystemWindows BitLockerWindows Bluetooth Port DriverWindows Bluetooth ServiceWindows Boot ManagerWindows Collaborative Translation FrameworkWindows Common Log File System DriverWindows Cryptographic ServicesWindows DHCP ClientWindows DHCP ServerWindows DWM Core LibraryWindows Deployment ServicesWindows HTTP.sysWindows Hotpatch Monitoring ServiceWindows Hyper-VWindows Internet (wininet.dll)Windows KerberosWindows KernelWindows Kernel-Mode DriversWindows Mark of the Web (MOTW)Windows MediaWindows NT OS KernelWindows NTFSWindows Narrator BrailleWindows Network Controller (NC) Host AgentWindows Performance MonitorWindows Program Compatibility Assistant ServiceWindows Projected File System Filter DriverWindows Push NotificationsWindows RDPWindows SDKWindows Secure BootWindows ShellWindows StorageWindows TCP/IPWindows Telephony ServiceWindows UEFIWindows Universal Disk Format File System Driver (UDFS)Windows Win32K - GRFXWinlogonElevation of Privilege (EoP) vulnerabilities accounted for 31.8% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 27.3%.ImportantCVE-2026-50507 | Windows BitLocker Security Feature Bypass VulnerabilityCVE-2026-50507 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.8 and is rated as important. It was publicly disclosed prior to a patch being available and assessed as “Exploitation More Likely” according to Microsoft's Exploitability Index.According to Microsoft, an attacker with physical access to the system could bypass the BitLocker Device Encryption feature in order to gain access to the device's encrypted data. This vulnerability appears to be the flaw known as Bitskrieg and a collaboration between Chaotic Eclipse (Nightmare Eclipse) and Jonas L.ImportantCVE-2026-49160 | HTTP.sys Denial of Service VulnerabilityCVE-2026-49160 is a denial of service (DoS) vulnerability affecting HTTP.sys. It received a CVSSv3 score of 7.5 and is rated as important. It was assessed as “Exploitation More Likely” and publicly disclosed prior to a patch being available. According to the advisory, this DoS affects HTTP/2. The advisory notes that this update adds a MaxHeadersCount registry setting which can be used to limit the number of headers included in HTTP/2 and HTTP/3 requests.Dubbed HTTP/2 Bomb by researchers at Calif, which is credited by Microsoft for reporting the DoS, their blog describes the technical details and provides a proof-of-concept which can be used to test web servers against this vulnerability. As noted in the blog post, at the time it was released, Microsoft had not yet released patches.ImportantCVE-2026-45586 | Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege VulnerabilityCVE-2026-45586 is an EoP vulnerability affecting Windows Collaborative Translation Framework (CTFMON), a process that supports voice and handwriting recognition. It was assigned a CVSSv3 score of 7.8 and rated as important. This EoP flaw was one of three zero-days disclosed prior to patches being made available. Successful exploitation would grant an attacker SYSTEM privileges and Microsoft has assessed this vulnerability as “Exploitation More Likely.”CriticalCVE-2026-42909, CVE-2026-42913, CVE-2026-42985, CVE-2026-42992, CVE-2026-42993, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, CVE-2026-47653, CVE-2026-47654 and CVE-2026-48563 | Remote Desktop Client Remote Code Execution VulnerabilityCVE-2026-42909, CVE-2026-42913, CVE-2026-42985, CVE-2026-42992, CVE-2026-42993, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, CVE-2026-47653, CVE-2026-47654 and CVE-2026-48563 are RCE vulnerabilities affecting Remote Desktop Client. CVSSv3 scores ranged from 8.8 (CVE-2026-42985, CVE-2026-47289 and CVE-2026-47653) to 7.5 and seven were rated as critical while CVE-2026-42993, CVE-2026-42909, CVE-2026-47653 and CVE-2026-42913 were rated as important. Successful exploitation would require a victim to connect to an attacker controlled server using an affected version of the Remote Desktop Client. This action could trigger a heap-based buffer overflow, resulting in remote code execution.While no public details have been released about these vulnerabilities as of June 9, Microsoft has assessed CVE-2026-42985 as “Exploitation More Likely” while the other CVEs were classified as either “Exploitation Unlikely” or “Exploitation Less Likely.” Patches are available for supported versions of Windows and Windows Server.Out Of Band UpdatesWhile these updates were released prior to the Patch Tuesday release on June 9, they were outside the window for the May release and are noted here as they are significant.ImportantCVE-2026-41091 | Microsoft Defender Elevation of Privilege VulnerabilityCVE-2026-41091 is an EoP vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and is rated important. An unprivileged attacker could exploit this vulnerability by writing a specially crafted file to a privileged location. Successful exploitation would result in Microsoft Defender writing the file back to the privileged location, gaining privileges as SYSTEM.According to reports, CVE-2026-41091 is RedSun, a zero-day vulnerability disclosed by a researcher named Chaotic Eclipse or Nightmare Eclipse on April 15, 2026. This researcher has also published several additional zero-days recently, including BlueHammer (CVE-2026-33825), GreenPlasma, MiniPlasma and collaborated on Bitskrieg (CVE-2026-50507). It has since been exploited in the wild and added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (CISA KEV) catalog on May 20.ImportantCVE-2026-45585 | Windows BitLocker Security Feature Bypass VulnerabilityCVE-2026-45585 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.8 and is rated as important. This vulnerability is known as YellowKey, named by the researcher known as Chaotic Eclipse or Nightmare Eclipse.A proof-of-concept (PoC) was made public on May 13, prompting Microsoft to publish the original advisory and CVE identifier on May 19th, offering mitigation guidance.Exploitation does require physical access to the device, however Microsoft has assessed this vulnerability as “Exploitation More Likely.”Tenable SolutionsA list of all the plugins released for Microsoft’s June 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft's June 2026 Security UpdatesTenable plugins for Microsoft June 2026 Patch Tuesday Security UpdatesJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.