Microsoft’s June 2026 Patch Tuesday is one of the largest security updates in the company’s history, addressing 198 to 208 vulnerabilities u2014 depending on the source u2014 including six zero-day flaws, three of which were actively exploited or publicly disclosed before a fix was available. Security teams worldwide are on high alert, and if you haven’t patched yet, you need to act immediately.
Released on June 9, 2026, this month’s update covers Windows, Office, Azure, Remote Desktop, and dozens of other Microsoft products. With a staggering 33 “Critical” vulnerabilities in this batch u2014 28 of them remote code execution (RCE) flaws u2014 the attack surface is enormous. Here’s everything you need to know.
Microsoft Patch Tuesday June 2026: By the Numbers
This month’s Patch Tuesday is exceptional in scale. Key statistics from the update:
- Total CVEs patched: 198u2013208 (varies by source; Microsoft’s official count is 198)
- Critical severity: 33 vulnerabilities
- Zero-day flaws: 6 (3 publicly disclosed, 1 actively exploited)
- Remote Code Execution (RCE): 54 vulnerabilities, 28 rated Critical
- Elevation of Privilege (EoP): Multiple, including SYSTEM-level
- Products affected: Windows 10/11, Windows Server 2019u20132025, Office 365, Azure, Remote Desktop Services, SharePoint, Exchange
Security researchers from Tenable, Zero Day Initiative, and BleepingComputer have flagged several of these CVEs as requiring emergency prioritization. Let’s look at the most dangerous ones.
CVE-2026-49160: The HTTP/2 Bomb u2014 Critical DoS in Windows
The highest-profile vulnerability this cycle is CVE-2026-49160, a Denial-of-Service (DoS) flaw in Windows’ HTTP.sys component affecting the HTTP/2 protocol stack. Rated CVSS 7.5, this vulnerability allows a remote, unauthenticated attacker to crash web servers by sending a specially crafted, tiny HTTP/2 request that causes the server to expand and process a disproportionately massive volume of data u2014 a technique known as the HTTP/2 Bomb.
The attack is elegant in its brutality: a kilobyte-sized request triggers gigabytes of server-side processing, effectively taking any affected Windows server offline. This vulnerability affects all Windows Server versions running IIS or any HTTP/2-capable service. Since HTTP/2 is the default protocol for modern web traffic, the exposure is universal.
Who is affected: Any Windows web server with HTTP/2 enabled u2014 which is the default on Windows Server 2019 and later. This includes IIS deployments, Azure-hosted applications, and Windows-based API gateways.
CVE-2026-45657: CVSS 9.8 Wormable Kernel TCP/IP Flaw
The most dangerous vulnerability in this month’s batch may be CVE-2026-45657, a CVSS 9.8-rated flaw in how the Windows kernel handles TCP/IP packets. This is a zero-click, pre-authentication remote code execution vulnerability u2014 meaning an attacker can compromise your system without any user interaction, simply by sending a specially crafted network packet.
Security researchers have classified this as potentially wormable u2014 meaning malware exploiting it could self-propagate across networks automatically, in the same way WannaCry did in 2017 using EternalBlue. The vulnerability sits in kernel space, so successful exploitation gives attackers the highest possible level of access to the compromised system.
Mitigation priority: CRITICAL. Systems connected directly to the internet or on flat, unsegmented networks are at the highest risk. This CVE alone justifies emergency patching procedures.
CVE-2026-45586: CTFMON Elevation of Privilege to SYSTEM
CVE-2026-45586 is an Elevation of Privilege vulnerability in the Client/Server Runtime Subsystem (CTFMON), rated CVSS 7.8. A local attacker u2014 including malware already on the system or a low-privilege user u2014 can exploit this to gain SYSTEM-level privileges, effectively taking full control of the machine.
This type of flaw is a key component in multi-stage attacks: ransomware operators frequently chain together a low-privilege initial access with an EoP vulnerability like this to gain full administrative control before deploying their payload. Patch it immediately, even on systems not directly internet-facing.
CVE-2026-50507: Windows BitLocker Security Feature Bypass
CVE-2026-50507 affects Windows BitLocker, Microsoft’s full-disk encryption solution, with a CVSS score of 6.8. Exploitation requires physical access to the device, but once an attacker has that, they can bypass BitLocker’s encryption protections and gain access to the protected data.
This is particularly concerning for organizations that rely on BitLocker to protect data on stolen laptops, workstations, and servers. If an employee’s laptop is stolen, BitLocker is the last line of defense u2014 and this vulnerability undermines it.
Remote Desktop Services: Highest Concentration of RCE Patches
Beyond the named zero-days, Remote Desktop Client and Services received the largest cluster of RCE patches this cycle. Multiple CVEs (CVE-2026-44819, CVE-2026-44824, CVE-2026-45475, CVE-2026-45486, and others) allow attackers to achieve code execution through specially crafted RDP connections or Microsoft Office documents.
Organizations that expose RDP to the internet u2014 still a dangerously common practice u2014 should treat this month’s patches as a priority-one emergency. Unpatched RDP has historically been one of the most exploited attack vectors for ransomware groups.
What You Need to Do Right Now
Here’s a prioritized action plan for IT and security teams responding to the June 2026 Patch Tuesday:
- 1. Patch CVE-2026-45657 first. The wormable kernel TCP/IP flaw (CVSS 9.8) is your highest-risk vulnerability. Treat it as an emergency patch regardless of your normal patching cycle.
- 2. Patch CVE-2026-49160 on all web-facing servers. Disable HTTP/2 as a temporary mitigation if you cannot patch immediately (
netsh http add iplistencan restrict exposure). - 3. Apply all EoP patches. CVE-2026-45586 and other privilege escalation flaws are force multipliers for attackers who already have a foothold in your environment.
- 4. Audit your RDP exposure. Ensure RDP is not directly exposed to the internet. Use VPN or Azure Bastion as a gateway, and enforce Network Level Authentication (NLA).
- 5. Review BitLocker policies. For devices with sensitive data, ensure BitLocker pre-boot authentication (PIN/USB key) is enforced as an additional layer.
- 6. Update your patch management systems. Enable Windows Update, deploy via WSUS/SCCM, or use your RMM tool to push patches to all endpoints before end of business today.
The Broader Context: Patch Tuesday Has Never Been More Critical
June 2026’s Patch Tuesday lands in one of the most hostile cybersecurity environments in recent memory. Vulnerability exploitation has overtaken stolen credentials as the #1 way attackers gain initial access to organizations, accounting for 31% of all breach entry points according to recent incident response data. Meanwhile, the time between a patch being released and attackers weaponizing the underlying vulnerability has shrunk to as little as 48 hours for high-profile CVEs.
The message is clear: in 2026, patching is not a monthly maintenance task u2014 it’s a continuous security imperative. Organizations that treat Patch Tuesday as optional are operating under a dangerous illusion.
Quick Reference: June 2026 Patch Tuesday Must-Patch List
- CVE-2026-45657 u2014 CVSS 9.8 | Windows Kernel TCP/IP | Wormable RCE | Patch immediately
- CVE-2026-49160 u2014 CVSS 7.5 | HTTP.sys HTTP/2 Bomb | DoS | Patch all web servers today
- CVE-2026-45586 u2014 CVSS 7.8 | CTFMON EoP to SYSTEM | Patch all endpoints
- CVE-2026-50507 u2014 CVSS 6.8 | BitLocker Bypass | Physical access required | Patch laptop fleet
- RDP Cluster u2014 Multiple CVEs | Remote code execution via RDP | Emergency priority if RDP exposed
Security doesn’t wait. Bookmark InformBytes for ongoing coverage of critical vulnerabilities and threat intelligence, and subscribe to our newsletter to receive patch alerts directly in your inbox.
