Microsoft June 2026 Patch Tuesday fixes record number of flaws, including zero-days
6 min. read 
Published on
Microsoft’s June 2026 Patch Tuesday is one of the company’s largest monthly security releases to date, fixing a record number of vulnerabilities across Windows, Office, Exchange Server, SharePoint, Hyper-V, Remote Desktop Client, Azure services, Visual Studio Code, and other products.
The headline count varies by source and methodology. Tenable’s June Patch Tuesday analysis counts 198 Microsoft CVEs, with 32 rated Critical and 166 rated Important. BleepingComputer’s updated report counts 200 flaws and six zero-days after additional entries were added to the month’s coverage.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Microsoft’s own June 2026 Security Update Guide release notes remain the primary source for administrators who need product-specific patches, CVSS scores, exploitability ratings, and affected versions.
June 2026 Patch Tuesday by the numbers
The June release stands out because of its size and because several issues were publicly known before Microsoft shipped fixes. Even where exploitation has not been confirmed, public disclosure increases the risk that attackers can study the flaw and build working exploit chains quickly.
Elevation of privilege and remote code execution flaws make up the largest share of this release. Those two categories matter most in enterprise environments because attackers often use remote code execution for initial access and then chain privilege escalation bugs to gain deeper control of a system.
| Category | Reported count | Why it matters |
|---|---|---|
| Elevation of privilege | 65 in broader counts | Can help attackers gain higher permissions after initial access |
| Remote code execution | 55 in broader counts | Can allow code execution through crafted files, requests, or connections |
| Information disclosure | 30 in broader counts | Can expose sensitive data or help attackers prepare follow-up attacks |
| Spoofing | 27 in broader counts | Can help attackers impersonate trusted services or identities |
| Security feature bypass | 19 in broader counts | Can weaken protections such as BitLocker, Secure Boot, or Mark of the Web |
| Denial of service | 7 in broader counts | Can disrupt Windows services, servers, or network-facing systems |
Publicly disclosed zero-days need priority attention
One of the most important fixes is CVE-2026-50507, a Windows BitLocker security feature bypass. Microsoft rates it Important, but administrators should not ignore it because successful exploitation can allow an attacker with physical access to bypass BitLocker Device Encryption and access encrypted data.
Another high-priority fix is CVE-2026-49160, an HTTP.sys denial-of-service vulnerability affecting HTTP/2. This matters for internet-facing Windows servers and IIS environments because crafted requests could exhaust system resources and make services unavailable.
The third publicly disclosed issue highlighted in several Patch Tuesday analyses is CVE-2026-45586, a Windows Collaborative Translation Framework elevation of privilege flaw. Successful exploitation can give an attacker SYSTEM privileges after local access.
| CVE | Component | Impact | Priority |
|---|---|---|---|
| CVE-2026-50507 | Windows BitLocker | Security feature bypass | High for laptops and devices at physical-access risk |
| CVE-2026-49160 | HTTP.sys | Denial of service | High for IIS and exposed Windows web servers |
| CVE-2026-45586 | Windows CTFMON | Elevation of privilege | High where attackers may already have local access |
Remote Desktop, Hyper-V, HTTP.sys, and Office fixes stand out
The Tenable breakdown highlights a large cluster of Remote Desktop Client remote code execution vulnerabilities. Several are rated Critical, and exploitation requires a victim to connect to an attacker-controlled server using an affected Remote Desktop Client.
BleepingComputer also points to the wider zero-day picture, including additional BitLocker and Visual Studio Code issues counted in its updated coverage. That is why security teams should read beyond the first published patch summaries and verify the final CVE list in their own vulnerability management tools.
Microsoft’s official June release notes include fixes across Windows Hyper-V, Windows Kerberos, Active Directory Domain Services, Microsoft Office, Microsoft Exchange Server, SharePoint Server, Visual Studio Code, Azure Kubernetes Service, Windows Secure Boot, and other components.
- Prioritize exposed Windows servers running HTTP.sys or IIS workloads.
- Patch Remote Desktop Client systems, especially on admin workstations.
- Update Hyper-V hosts after testing, since guest-to-host bugs can carry serious risk.
- Patch Office and Outlook systems because document-based attack paths remain common.
- Review BitLocker and Secure Boot fixes for laptops, field devices, and high-risk endpoints.
Microsoft adds HTTP header control after HTTP.sys issue
Microsoft also introduced a new mitigation-related setting for Windows HTTP servers. After installing a Windows update released on or after June 9, 2026, administrators can use the MaxHeadersCount registry setting to limit the number of HTTP/2 and HTTP/3 request headers accepted by the server.
This setting is especially relevant for organizations that operate internet-facing IIS servers or Windows services that depend on HTTP.sys. It gives administrators another way to reduce resource-exhaustion risk linked to oversized or abusive request headers.
| Deployment group | Recommended action |
|---|---|
| Internet-facing servers | Prioritize HTTP.sys, IIS, Remote Desktop, and Exchange Server patches |
| Domain controllers | Prioritize Kerberos and Active Directory Domain Services updates |
| Virtualization hosts | Test and deploy Hyper-V fixes quickly |
| End-user devices | Apply Windows, Office, BitLocker, Secure Boot, and Remote Desktop Client updates |
| Developer systems | Patch Visual Studio Code and related extensions |
Admins should test, patch, and verify coverage
Security teams should begin with systems exposed to the internet, high-value servers, privileged workstations, and devices that frequently handle untrusted Office files. Patch testing still matters, but the number of publicly known issues in this cycle makes long delays risky.
Organizations that cannot update every system immediately should reduce exposure while testing continues. That can include restricting RDP access, limiting inbound traffic to Windows web servers, isolating vulnerable systems, and monitoring authentication, crash, and service health logs for unusual activity.
- Run an inventory check for Windows Server, Windows client, Office, Exchange, SharePoint, Hyper-V, and Visual Studio Code assets.
- Apply June 2026 security updates first to internet-facing and privileged systems.
- Review the Microsoft MaxHeadersCount guidance for HTTP/2 and HTTP/3 environments.
- Check vulnerability scanner results after deployment to confirm patches applied successfully.
- Monitor for exploitation attempts against BitLocker, HTTP.sys, Remote Desktop, Office, and privilege escalation flaws.
The June 2026 Patch Tuesday release is too large to treat as routine. Whether an organization follows the 198-CVE count, the 200-flaw Patch Tuesday count, or a broader 206-vulnerability view, the practical guidance remains the same: test quickly, patch high-risk systems first, and verify that updates actually reached every affected asset.
FAQ
The count depends on methodology. Tenable counted 198 Microsoft CVEs, while BleepingComputer updated its Patch Tuesday coverage to 200 flaws. Some broader counts include 206 vulnerabilities when additional items are included.
Admins should prioritize publicly disclosed issues such as CVE-2026-50507 in BitLocker, CVE-2026-49160 in HTTP.sys, and CVE-2026-45586 in Windows Collaborative Translation Framework. Updated reports also count additional zero-days in the June cycle.
CVE-2026-49160 is an HTTP.sys denial-of-service vulnerability affecting HTTP/2. It can allow an unauthenticated attacker to cause service disruption over a network.
It is important because it fixes a record number of flaws, including publicly disclosed zero-days, Critical remote code execution bugs, privilege escalation flaws, BitLocker bypasses, and server-side vulnerabilities.
Organizations should patch internet-facing servers, HTTP.sys and IIS systems, Remote Desktop Client deployments, Hyper-V hosts, domain controllers, Exchange and SharePoint servers, Office installations, and high-risk user devices first.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages