Microsoft June 2026 Patch Tuesday: 200 Flaws & 3 Zero-Days
Hoplon InfoSec
10 Jun, 2026
Microsoft June 2026 Patch Tuesday: Record 200 Flaws and 3 Zero-Days
What just happened with Microsoft's security updates, and should you be worried? On June 10, 2026, Microsoft released its monthly security update, and this one genuinely broke records. The Microsoft June 2026 Patch Tuesday addressed 200 vulnerabilities across its entire product ecosystem. That is the largest single Patch Tuesday release in the program's history, blowing past the previous record of 167 CVEs set just eight months earlier in October 2025.
Three of those vulnerabilities are publicly disclosed zero-days. Thirty-three are rated Critical. Twenty-eight of the critical flaws are remote code execution bugs, meaning attackers could theoretically take complete control of an unpatched machine without the user doing anything wrong. If you run Windows, manage Windows servers, or oversee any Microsoft-adjacent infrastructure, this update deserves your full attention today.
This article walks you through what happened, why it matters, which vulnerabilities are most dangerous, and exactly what you should do next.
June 2026 Patch Tuesday at a Glance
Before diving deep, here is a quick snapshot of the numbers:
Category
Count
Total CVEs Patched
200
Critical Severity
33
Important Severity
166
Moderate Severity
1
Zero-Day Vulnerabilities
3
Remote Code Execution Flaws
55
Elevation of Privilege Flaws
65
Security Feature Bypass Flaws
19
Information Disclosure Flaws
30
Denial of Service Flaws
7
Spoofing Vulnerabilities
27
Note: These counts do not include the 360 Microsoft Edge and Chromium vulnerabilities fixed separately by Google, nor do they cover flaws patched earlier this month in Mariner, Azure HorizonDB, Microsoft Copilot, M365 Copilot, Exchange Online, or Microsoft Graph.
The real total, if you count everything Microsoft addressed across its ecosystem this month, runs significantly higher.
Why June 2026 is Unlike Any Patch Tuesday Before It
You have to go back a long way to find context for what just happened. Patch Tuesday has existed since 2003. For most of that time, a big month meant 80 to 100 CVEs. October 2025 surprised the industry with 167. Then June 2026 arrived with 200.
Dustin Childs, head of threat awareness at TrendAI's Zero Day Initiative, put it bluntly after the release. He noted that the current number of CVEs shipped by Microsoft in 2026 alone already exceeds the total number of CVEs Microsoft shipped across the entire year of 2018. That is not a marginal increase. That is a structural shift in how vulnerabilities are being discovered.
The driver, according to researchers across multiple firms, is AI-assisted bug discovery. Automated scanning tools, AI-powered fuzzing frameworks, and large-scale code analysis are surfacing flaws at a pace that human researchers never could. The attack surface is not necessarily getting larger. It is getting more thoroughly examined, faster.
This has real consequences for security teams. Monthly patching cycles were designed for a world where 50 to 100 CVEs was a heavy month. When 200 land at once, triage becomes a serious operational challenge, not just a technical one. Prioritization matters now more than ever.
Adam Barnett of Rapid7 pointed out something else worth noting. When you add the 360 browser-related vulnerabilities patched separately, June 2026 is an order of magnitude heavier than any typical month in recent years. That broader context matters for organizations that track total exposure, not just Windows-specific patches.
The 3 Zero-Day Vulnerabilities: What You Need to Understand
Zero-days are vulnerabilities that were publicly known before Microsoft released a fix. That window of exposure, even a short one, gives attackers a head start. None of the three June 2026 zero-days have been confirmed as actively exploited in the wild at the time of release, but that status can change quickly once exploit code is public.
CVE-2026-45657: The HTTP/2 Wormable Remote Code Execution Flaw
This is the one that security researchers are losing sleep over.
CVE-2026-45657 affects HTTP.sys, the kernel-mode driver that handles HTTP requests in Windows. Its CVSS score is 10.0, the maximum possible severity rating. Microsoft has classified it as "wormable" under certain network configurations, which means a single compromised machine could potentially spread this exploit to other vulnerable machines on the same network without any user interaction.
Think about what that means in a large enterprise environment. One unpatched server facing internal network traffic becomes a potential launch point for lateral movement across hundreds of machines. Security researchers at Zero Day Initiative described this as "the kind of vulnerability that keeps defenders up at night," and that framing is not hyperbole.
The attack vector is network-based, meaning no local access is required. Any system running Windows with HTTP.sys exposed to network traffic is potentially at risk. This includes Windows Server deployments running IIS, certain Azure services, and any application built on Windows HTTP stack components.
This vulnerability alone is reason enough to treat June 2026 patches as an emergency deployment, not a scheduled maintenance window.
CVE-2026-45586 "GreenPlasma": Elevation of Privilege in Windows Collaborative Translation Framework
The second zero-day carries a name that an anonymous security researcher chose themselves: GreenPlasma. The researcher, operating under the alias "Nightmare Eclipse," publicly disclosed the vulnerability before Microsoft could patch it, which is what gives it zero-day status.
CVE-2026-45586 is an elevation of privilege flaw in the Windows Collaborative Translation Framework, a component that handles certain language processing tasks within Windows. The technical mechanism involves a flaw in how the framework validates privilege contexts, allowing an attacker who already has limited access to a machine to elevate their permissions to SYSTEM level.
In practical terms, this kind of vulnerability is usually paired with an initial access vector. An attacker gets a foothold through phishing or another technique, then uses an elevation of privilege bug like this to gain full administrative control. It is a critical step in many real-world attack chains, even if it does not enable remote code execution on its own.
The Nightmare Eclipse researcher is not done. More on that later.
CVE-2026-50507 "YellowKey": BitLocker Bypass
The third zero-day, nicknamed YellowKey, targets something that many organizations rely on as a last line of defense: BitLocker full-disk encryption.
CVE-2026-50507 allows a local attacker with physical access to a device to bypass BitLocker's encryption and read data from a protected drive. The severity rating is important rather than critical, primarily because it requires physical access. Remote exploitation is not possible.
However, the implications for certain organizations are severe. Companies that rely on BitLocker to protect data on lost or stolen laptops now have a window of exposure. Field workers, executives traveling with sensitive data, healthcare organizations with mobile devices, and any scenario where a device could fall into the wrong hands now carry elevated risk.
The fix should be deployed immediately on any device that stores sensitive information and leaves a physically secure location.
Critical Vulnerabilities: What Else is in the June 2026 Patch Tuesday?
Beyond the three zero-days, the 33 Critical-rated vulnerabilities in this release deserve structured attention.
The breakdown of those 33 Critical CVEs is telling: 28 are remote code execution vulnerabilities, 4 are elevation of privilege issues, and 1 is an information disclosure flaw. The concentration of RCE bugs at the Critical tier reflects how broadly Microsoft's attack surface spans network-facing services.
Products affected by Critical-tier vulnerabilities in this release include Windows 11, Windows Server (multiple versions), Microsoft Office, Exchange Server, .NET Framework, Azure-connected services, Hyper-V, Remote Desktop Services, and HTTP.sys. That list covers most of the infrastructure any medium-to-large organization runs on Microsoft technology.
Fifteen additional vulnerabilities across all severity tiers carry Microsoft's "Exploitation More Likely" designation. This label means Microsoft's internal analysis suggests the technical barriers to exploit development are low, even if active exploitation has not yet been observed. Enterprise security teams should treat these with nearly the same urgency as confirmed zero-days.
Priority Tier
Count
Action Timeline
Zero-Days (publicly disclosed)
3
Deploy within 24-48 hours
Critical + Exploitation More Likely
~15
Deploy within 72 hours
Critical (remaining)
~18
Deploy within 1 week
Important
166
Deploy within standard cycle
Moderate
1
Standard cycle
Affected Products and Services
The June 2026 release touches essentially every major Microsoft product family. Here is the full scope:
Windows 11 and Windows 10 both received cumulative updates. Windows Server versions from 2016 through 2025 are included. Microsoft Office (Word, Excel, PowerPoint, Outlook) has patches. Exchange Server on-premises deployments require updates. The .NET Framework across multiple versions has fixes. Azure-integrated components, including certain Hyper-V configurations and Remote Desktop Gateway setups, are covered.
For organizations with vulnerability management programs, the June release scope means automated scanning needs to be run against the complete asset inventory, not just critical servers.
One thing worth clarifying: the patch count of 200 does not include vulnerabilities addressed earlier this month in Microsoft's cloud-based services. Mariner, Azure HorizonDB, Microsoft Copilot, Copilot Chat, M365 Copilot, Exchange Online, and Microsoft Graph received fixes outside the Patch Tuesday schedule. If your organization tracks total Microsoft exposure through attack surface management, those additional fixes should be accounted for separately.
Full technical details and patch download links are available in Microsoft's Security Update Guide at the Microsoft Security Response Center.
Third-Party Patches Released Alongside June 2026 Patch Tuesday
June 2026 was a busy month beyond Microsoft alone. Several other major vendors released significant security updates in the same window, and security teams with heterogeneous environments need to address them all.
Google Chrome patched a new zero-day that was confirmed as actively exploited in attacks at the time of disclosure. The 360 Edge and Chromium vulnerabilities referenced earlier in this article came largely from this Chrome release cycle. If your organization uses Chrome-based browsers, this is a separate urgent update.
Ivanti released security updates for vulnerabilities in Ivanti Endpoint Manager Mobile and Ivanti Sentry. Neither was confirmed exploited in the wild, but Ivanti products have had a difficult year regarding exploit activity, and patching should not be delayed.
Ubiquiti patched three vulnerabilities carrying maximum severity ratings, all involving potential remote code execution. Organizations running Ubiquiti networking equipment should apply these updates promptly.
SAP released its June security package, which included four critical vulnerabilities across NetWeaver and Commerce Cloud components. Given the sensitivity of ERP data, SAP patches should be treated with high urgency.
Veeam disclosed a critical vulnerability in Backup and Replication that could be exploited to gain remote code execution on domain-joined backup servers. Backup infrastructure is a high-value target for ransomware operators, and a vulnerable backup server can quickly become an attacker's pivot point into a broader environment. Incident response and recovery becomes far more difficult when backup systems are compromised.
How to Prioritize Patching for June 2026
Not every organization can deploy all 200 patches simultaneously. Triage is necessary, and here is a practical framework for thinking through it.
Start with CVE-2026-45657. The wormable, CVSS 10.0 HTTP/2 flaw should be treated as an emergency for any organization running Windows Server with network-facing HTTP services. If you manage IIS deployments or HTTP-facing applications on Windows infrastructure, this is your first call.
Next, address the BitLocker bypass CVE-2026-50507 on any devices that travel outside physically secure locations. This is not a remote exploitation risk, but it is a data protection risk that is now known publicly.
The elevation of privilege zero-day CVE-2026-45586 should be patched across workstations and servers quickly. While it requires an existing foothold to exploit, it is exactly the kind of bug that gets chained with initial access vectors in targeted attacks.
After the zero-days, work through the 15 "Exploitation More Likely" vulnerabilities. Your endpoint security protection tools may flag telemetry that helps identify whether any systems show signs of attempted exploitation.
For enterprise environments using WSUS or Microsoft Endpoint Configuration Manager, June's scale means testing cycles should be compressed. The risk of a weaponized exploit appearing in the wild outweighs the operational risk of slightly accelerated deployment for the highest-severity items.
SMB environments without dedicated patch management infrastructure should enable automatic Windows updates immediately and verify that updates are applied successfully on all devices.
How to Apply the June 2026 Patch Tuesday Updates
For individual Windows users and small teams, the update process is straightforward. Open the Start menu, go to Settings, select Windows Update, and choose Check for Updates. If June updates are available, they will appear for download and installation. A restart is typically required to complete installation.
For enterprise environments, the deployment flow depends on your patch management toolchain. Organizations using Windows Server Update Services can approve the June 2026 update bundles for deployment to managed endpoints. Those using Microsoft Endpoint Configuration Manager can deploy via software update groups.
For servers running critical workloads, the recommended approach is to deploy to a staging group first, verify system stability, then push to production. Given the severity of this month's release, the staging cycle should be measured in hours rather than days for the highest-priority patches.
Organizations without formal patch management tools can use web application security testing services and related scanning capabilities to verify patch status across web-facing assets after deployment.
The canonical reference for all patch details, including specific KB article numbers and affected versions, is the Microsoft Security Update Guide available through the Microsoft Security Response Center portal.
The Nightmare Eclipse Threat Looming Over July 2026
The anonymous security researcher who publicly disclosed the GreenPlasma and YellowKey zero-days operates under the alias Nightmare Eclipse. Their approach is confrontational by design. They publish working exploit code for unpatched Windows vulnerabilities, then give Microsoft the clock pressure of public disclosure to force faster patching.
Before June's Patch Tuesday release, Nightmare Eclipse announced what they described as a "bone-shattering" drop of additional Windows zero-days planned for July 14, 2026. That date is not coincidental. It falls on the exact date of next month's Patch Tuesday.
Whether this is a credible threat or performance art designed to pressure Microsoft is unclear. But security teams should operate on the assumption that it is credible. Microsoft's team has roughly four weeks to identify and patch whatever vulnerabilities Nightmare Eclipse is planning to disclose. If those disclosures land publicly before patches are ready, July 2026 could be even more significant than June.
Organizations that want to get ahead of this should focus on strengthening their cyber resilience assessment posture now, before the July window arrives. Having extended detection and response (XDR) capabilities in place means that even if exploitation attempts occur against unpatched systems, behavioral detection can identify and contain them faster.
Proactive cyber threat intelligence monitoring of forums and disclosure channels where Nightmare Eclipse operates may also provide early warning of what vulnerabilities are coming. The dark web monitoring and threat intelligence landscape around Windows zero-days tends to become active quickly after public disclosures of this kind.
What This Means for the Broader Security Landscape
The June 2026 Patch Tuesday release is more than a big number. It is evidence of a trend that security professionals have been watching with increasing concern throughout 2026.
AI tools are accelerating vulnerability discovery. The same capabilities that help defenders find and fix bugs faster are also available to researchers publishing zero-days and, by extension, to threat actors scanning for exploitable weaknesses. The pace of discovery is increasing, and the monthly patching cycle is showing its age as a response mechanism.
Several security researchers have noted that the current model, where organizations have 30 days between Patch Tuesdays to deploy fixes, is increasingly misaligned with how fast exploit development happens after a vulnerability becomes public. The gap between disclosure and weaponization has narrowed significantly over the past two years.
This argues for continuous vulnerability management programs rather than monthly patch cycles. It argues for attack surface management that identifies exposed services before attackers do. And it argues for penetration testing that validates whether deployed patches actually closed the vulnerabilities they were meant to address.
For organizations that have been treating security updates as routine maintenance, June 2026 is a clear signal that the stakes are higher. The record-breaking volume reflects a threat landscape that is becoming more complex, not less. Treating patch deployment as a strategic security function rather than an IT maintenance task is no longer optional for any organization with meaningful exposure.
Expert Recommendations for June 2026Based on the June 2026 Patch Tuesday release, here is what we recommend for security teams:
Immediate (within 48 hours): Prioritize patching CVE-2026-45657 on all Windows Server instances with HTTP.sys exposure. This is your highest-risk item in the entire release. Treat it as an emergency change.
Short-term (within 72 hours): Deploy CVE-2026-45586 and CVE-2026-50507 patches across all enterprise endpoints. For BitLocker-dependent laptops and mobile devices, verify patch status and ensure devices are not taken off-site until patched.
This week: Work through the 15 "Exploitation More Likely" vulnerabilities. Run your vulnerability scanner against the full environment to verify deployment status.
This month: Review third-party patches from Ivanti, SAP, Veeam, and Ubiquiti. Assess whether your current patch management tooling can handle a 200+ CVE release month without operational gaps. If it cannot, that is a program gap to address before July.
Forward-looking: Engage AI-driven automated red teaming to validate that patched systems are actually protected. Confirmed patch deployment and confirmed protection are not the same thing.
Frequently Asked Questions
What is the Microsoft June 2026 Patch Tuesday?
Microsoft June 2026 Patch Tuesday is Microsoft's monthly security update released on June 10, 2026. It addresses 200 vulnerabilities across Windows, Office, Azure, Exchange Server, and other Microsoft products. It is the largest single Patch Tuesday release in the program's history and includes three publicly disclosed zero-day vulnerabilities.
How many zero-days were patched in June 2026 Patch Tuesday?
Three zero-day vulnerabilities were patched: CVE-2026-45657 (HTTP/2 wormable RCE with CVSS 10.0), CVE-2026-45586 "GreenPlasma" (elevation of privilege in Windows Collaborative Translation Framework), and CVE-2026-50507 "YellowKey" (BitLocker bypass). None of the three were confirmed as actively exploited in the wild at the time of the patch release.
Is CVE-2026-45657 being actively exploited?
As of the June 10, 2026 release date, no active exploitation of CVE-2026-45657 has been confirmed. However, its CVSS score of 10.0 and wormable classification make it a high-priority target for threat actors. Weaponized exploits for publicly known vulnerabilities of this severity can appear within days of disclosure. Immediate patching is strongly recommended.
Does the June 2026 Patch Tuesday affect Windows 11?
Yes. Windows 11 is among the affected products. Microsoft released cumulative updates KB5094126 and KB5093998 for Windows 11, which include the June security fixes. Windows 10 also received a cumulative update (KB5094127). Both should be deployed as soon as possible.
What is the YellowKey BitLocker vulnerability?
CVE-2026-50507, nicknamed YellowKey, is a security feature bypass vulnerability that allows an attacker with physical access to a device to circumvent BitLocker full-disk encryption and access data on the protected drive. It is rated Important severity. Remote exploitation is not possible, but the vulnerability is significant for organizations that use BitLocker to protect data on devices that could be lost or stolen.
Key Takeaways
The Microsoft June 2026 Patch Tuesday is the largest security update in the program's 23-year history. It patches 200 vulnerabilities, including 3 zero-days, 33 critical flaws, and a wormable HTTP/2 bug carrying the maximum possible CVSS score of 10.0. The update spans Windows 11, Windows Server, Office, Exchange, Azure, Hyper-V, and more.
Security teams should treat this as an emergency deployment cycle for the highest-severity items, not a routine monthly maintenance window. The broader context, including AI-accelerated vulnerability discovery and a threatened July zero-day drop from Nightmare Eclipse, suggests the pressure will not ease after June. Building faster, more continuous response capabilities now is the right strategic move.
Apply the patches. Verify the deployments. And watch July 14 closely.
Ready to strengthen your organization's patch management and vulnerability response capabilities? Explore Hoplon Infosec's security services to build a more resilient security
Published: June 10, 2026 | Author: Hoplon Infosec
Research Team | Last Updated: June 10, 2026
Expert Recommendations for June 2026Based on the June 2026 Patch Tuesday release, here is what we recommend for security teams: