Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507)

Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507) By Research Special Operations Subscribe 32 Critical 166 Important 0 Moderate 0 Low Microsoft addresses 198 CVEs in the largest Patch Tuesday release, including three zero-days. Microsoft patched 198 CVEs in its June 2026 Patch Tuesday release, with 32 rated critical and 166 rated as important. Our counts omitted 6 CVEs that were already addressed by Microsoft via servicing and do not require additional customer action to resolve as well as 2 CVEs that were disclosed by other CNAs (CVE-2025-10263 and CVE-2026-8863). This Patch Tuesday release is the largest release since the Patch Tuesday program began, smashing the previous record of 167 CVEs in the October 2025 Patch Tuesday release. This month’s update includes patches for: .NET ASP.NET Core Active Directory Domain Services Azure HorizonDB Azure Stack Edge Copilot Chat (Microsoft Edge) Function Discovery Service (fdwsd.dll) GitHub Copilot and Visual Studio Code HTTP/2 Linux MANA Driver M365 Copilot Microsoft Azure Attestation service and Device Health Attestation Service Microsoft Azure Kubernetes Service Microsoft Bing Microsoft Copilot Microsoft Defender for Endpoint Microsoft Dynamics 365 (on-premises) Microsoft Exchange Online Microsoft Exchange Server Microsoft Graph Microsoft Graphics Component Microsoft Kinect Microsoft Live Share Canvas SDK Microsoft Office Microsoft Office Click-To-Run Microsoft Office Excel Microsoft Office Project Microsoft Office SharePoint Microsoft Office Word Microsoft PC Manager Microsoft PowerToys Microsoft Teams for Android Microsoft UxTheme Library (uxtheme.dll) Microsoft Windows DNS Nuance PowerScribe Office for Android Remote Desktop Client Role: Windows Hyper-V UI Automation Manager (uiamanager.dll) Universal Plug and Play (upnp.dll) Visual Studio Code Windows Administrator Protection Windows Ancillary Function Driver for WinSock Windows Application Identity (AppID) Subsystem Windows BitLocker Windows Bluetooth Port Driver Windows Bluetooth Service Windows Boot Manager Windows Collaborative Translation Framework Windows Common Log File System Driver Windows Cryptographic Services Windows DHCP Client Windows DHCP Server Windows DWM Core Library Windows Deployment Services Windows HTTP.sys Windows Hotpatch Monitoring Service Windows Hyper-V Windows Internet (wininet.dll) Windows Kerberos Windows Kernel Windows Kernel-Mode Drivers Windows Mark of the Web (MOTW) Windows Media Windows NT OS Kernel Windows NTFS Windows Narrator Braille Windows Network Controller (NC) Host Agent Windows Performance Monitor Windows Program Compatibility Assistant Service Windows Projected File System Filter Driver Windows Push Notifications Windows RDP Windows SDK Windows Secure Boot Windows Shell Windows Storage Windows TCP/IP Windows Telephony Service Windows UEFI Windows Universal Disk Format File System Driver (UDFS) Windows Win32K - GRFX Winlogon Elevation of Privilege (EoP) vulnerabilities accounted for 31.8% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 27.3%. Important CVE-2026-50507 | Windows BitLocker Security Feature Bypass Vulnerability CVE-2026-50507 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.8 and is rated as important. It was publicly disclosed prior to a patch being available and assessed as “Exploitation More Likely” according to Microsoft's Exploitability Index. According to Microsoft, an attacker with physical access to the system could bypass the BitLocker Device Encryption feature in order to gain access to the device's encrypted data. This vulnerability appears to be the flaw known as Bitskrieg and a collaboration between Chaotic Eclipse (Nightmare Eclipse) and Jonas L. Important CVE-2026-49160 | HTTP.sys Denial of Service Vulnerability CVE-2026-49160 is a denial of service (DoS) vulnerability affecting HTTP.sys. It received a CVSSv3 score of 7.5 and is rated as important. It was assessed as “Exploitation More Likely” and publicly disclosed prior to a patch being available. According to the advisory, this DoS affects HTTP/2. The advisory notes that this update adds a MaxHeadersCount registry setting which can be used to limit the number of headers included in HTTP/2 and HTTP/3 requests. Dubbed HTTP/2 Bomb by researchers at Calif, which is credited by Microsoft for reporting the DoS, their blog describes the technical details and provides a proof-of-concept which can be used to test web servers against this vulnerability. As noted in the blog post, at the time it was released, Microsoft had not yet released patches. Important CVE-2026-45586 | Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability CVE-2026-45586 is an EoP vulnerability affecting Windows Collaborative Translation Framework (CTFMON), a process that supports voice and handwriting recognition. It was assigned a CVSSv3 score of 7.8 and rated as important. This EoP flaw was one of three zero-days disclosed prior to patches being made available. Successful exploitation would grant an attacker SYSTEM privileges and Microsoft has assessed this vulnerability as “Exploitation More Likely.” Critical CVE-2026-42909, CVE-2026-42913, CVE-2026-42985, CVE-2026-42992, CVE-2026-42993, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, CVE-2026-47653, CVE-2026-47654 and CVE-2026-48563 | Remote Desktop Client Remote Code Execution Vulnerability CVE-2026-42909, CVE-2026-42913, CVE-2026-42985, CVE-2026-42992, CVE-2026-42993, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, CVE-2026-47653, CVE-2026-47654 and CVE-2026-48563 are RCE vulnerabilities affecting Remote Desktop Client. CVSSv3 scores ranged from 8.8 (CVE-2026-42985, CVE-2026-47289 and CVE-2026-47653) to 7.5 and seven were rated as critical while CVE-2026-42993, CVE-2026-42909, CVE-2026-47653 and CVE-2026-42913 were rated as important. Successful exploitation would require a victim to connect to an attacker controlled server using an affected version of the Remote Desktop Client. This action could trigger a heap-based buffer overflow, resulting in remote code execution. While no public details have been released about these vulnerabilities as of June 9, Microsoft has assessed CVE-2026-42985 as “Exploitation More Likely” while the other CVEs were classified as either “Exploitation Unlikely” or “Exploitation Less Likely.” Patches are available for supported versions of Windows and Windows Server. Out Of Band Updates While these updates were released prior to the Patch Tuesday release on June 9, they were outside the window for the May release and are noted here as they are significant. Important CVE-2026-41091 | Microsoft Defender Elevation of Privilege Vulnerability CVE-2026-41091 is an EoP vulnerability in Microsoft Defender. It received a CVSSv3 score of 7.8 and is rated important. An unprivileged attacker could exploit this vulnerability by writing a specially crafted file to a privileged location. Successful exploitation would result in Microsoft Defender writing the file back to the privileged location, gaining privileges as SYSTEM. According to reports, CVE-2026-41091 is RedSun, a zero-day vulnerability disclosed by a researcher named Chaotic Eclipse or Nightmare Eclipse on April 15, 2026. This researcher has also published several additional zero-days recently, including BlueHammer (CVE-2026-33825), GreenPlasma, MiniPlasma and collaborated on Bitskrieg (CVE-2026-50507). It has since been exploited in the wild and added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (CISA KEV) catalog on May 20. Important CVE-2026-45585 | Windows BitLocker Security Feature Bypass Vulnerability CVE-2026-45585 is a security feature bypass vulnerability affecting Windows BitLocker. It received a CVSSv3 score of 6.8 and is rated as important. This vulnerability is known as YellowKey, named by the researcher known as Chaotic Eclipse or Nightmare Eclipse. A proof-of-concept (PoC) was made public on May 13, prompting Microsoft to publish the original advisory and CVE identifier on May 19th, offering mitigation guidance. Exploitation does require physical access to the device, however Microsoft has assessed this vulnerability as “Exploitation More Likely.” Tenable Solutions A list of all the plugins released for Microsoft’s June 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched. For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable. Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. Author Learn more Research Special Operations The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this han... Read more Microsoft's June 2026 Security Updates Tenable plugins for Microsoft June 2026 Patch Tuesday Security Updates Related articles AI SECURITY JUN 4 2026 The June 2026 AI Executive Order: What federal agencies need to know and how… By Jill Shapiro AI SECURITY JUN 4 2026 Tenable joins Anthropic’s Project Glasswing to advance AI-era cyber defense By Vlad Korsunsky AI SECURITY JUN 3 2026 Tenable CTO Q&A: C-suite views AI as massive threat, as cyber teams adopt… By Team Tenable Exposure Management Vulnerability Management Tenable Lumin Tenable Nessus Tenable Nessus Network Monitor Tenable One Tenable Patch Management Tenable Security Center Tenable Security Center Plus Tenable Vulnerability Management