Microsoft’s June 2026 Patch Tuesday has set a new record, with the company addressing an unprecedented 208 documented vulnerabilities (CVEs). Among these fixes is one zero-day flaw confirmed to be actively exploited in the wild, along with several critical remote code execution (RCE) vulnerabilities.
This release spans a wide portion of Microsoft’s ecosystem, including Windows, Microsoft Office, Azure, Exchange Server, Hyper-V, Secure Boot, BitLocker, and various AI-related tools. When factoring in Chromium-based components and other third-party dependencies bundled within Microsoft products, the total number of vulnerabilities patched for the month rises significantly to 571.
Security researchers have highlighted the scale of this release. According to the Zero Day Initiative (ZDI), this marks the largest Patch Tuesday update observed since they began tracking vulnerability counts in 2017, surpassing the previous record of 177 vulnerabilities set just last year. Notably, the cumulative number of CVEs addressed by Microsoft in 2026 has already exceeded the total number of vulnerabilities patched throughout all of 2018.
One vulnerability, identified as CVE-2026-41091, is currently being exploited in active attacks. In addition, three other vulnerabilities were publicly disclosed prior to the release of patches. These four issues are considered the highest priority for immediate remediation.
Among the most notable vulnerabilities addressed this month is CVE-2026-41091, an elevation of privilege flaw in Microsoft Defender with a CVSS score of 7.8. The vulnerability has been attributed to multiple researchers, which often suggests broader discovery or ongoing exploitation activity. Fortunately, Microsoft Defender typically updates automatically, reducing the need for manual intervention unless automatic updates have been disabled or systems operate in restricted environments.
Another critical issue, CVE-2026-45657, carries a CVSS score of 9.8 and affects the Windows kernel. This remote code execution vulnerability allows an unauthenticated attacker to execute arbitrary code at SYSTEM-level privileges without requiring user interaction. The flaw stems from how the kernel processes TCP/IP traffic, raising concerns about potential wormable exploitation scenarios. Although Microsoft has classified exploitation as less likely, security experts are already analyzing the patch, emphasizing the urgency of testing and deploying updates quickly.
CVE-2026-47291 is a similarly severe vulnerability affecting HTTP.sys, also rated at 9.8. Like the kernel flaw, it enables remote code execution without authentication or user interaction. However, systems configured with the default MaxRequestBytes registry value are not impacted. Microsoft has marked this vulnerability as more likely to be exploited, and administrators are advised to verify configurations and apply recommended mitigations immediately while preparing full patch deployment.
Another high-risk issue, CVE-2026-44815, targets the DHCP Client Service and also carries a CVSS score of 9.8. There is some inconsistency in Microsoft’s documentation regarding whether authentication is required, but based on the severity rating, security analysts believe unauthenticated exploitation is likely possible. Given that the DHCP client is enabled on nearly all Windows systems, this vulnerability represents a broad and attractive attack surface, making rapid remediation essential.
In addition to these critical flaws, several publicly disclosed vulnerabilities further increase the urgency. CVE-2026-49160 affects HTTP.sys and enables denial-of-service attacks using an HTTP/2 “bomb” technique. CVE-2026-45586 involves privilege escalation within the Windows Collaborative Translation Framework, potentially allowing attackers to gain SYSTEM-level access. Another issue, CVE-2026-50507, enables a BitLocker bypass requiring physical access and is linked to ongoing research activity referred to as “YellowKey.” A related patch, CVE-2026-45585, appears to address a similar technique known as “GreenPlasma,” with researchers indicating additional exploit developments may follow.
Secure Boot also receives significant attention in this release, with ten vulnerabilities classified as having “scope change,” meaning a successful exploit could extend beyond the original component and compromise boot integrity or virtual secure environments. Many of these findings are credited to researchers known for work related to advanced bootkits and firmware-level threats. Two of the Secure Boot vulnerabilities go even deeper, allowing execution of untrusted code before the operating system loads, provided the attacker has administrative privileges or physical access—conditions that elevate the risk to rootkit-level persistence.
The sheer volume of vulnerabilities addressed raises broader operational concerns for security teams. As noted by ZDI’s Dustin Childs, organizations may need to reassess their patch management strategies in response to consistently large update releases. This follows similarly heavy Patch Tuesday cycles in recent months, suggesting a potential shift in baseline expectations for vulnerability remediation workloads.
Microsoft has not indicated whether this trend will continue, but the next Patch Tuesday, scheduled for July 14, is expected to be similarly substantial, especially given its proximity to major cybersecurity conferences such as Black Hat and DEF CON. Organizations are strongly encouraged to prepare accordingly by prioritizing testing, accelerating deployment timelines, and closely monitoring threat intelligence updates.
The complete list of vulnerabilities addressed in this release is available through Microsoft’s official security advisory channels.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
