June 2026 Patch Tuesday: A Record 198 CVEs, Three Zero-Days, and a Glimpse of the AI-Driven Future of Vulnerability Research

June’s Patch Tuesday arrives as the largest release in the history of the program with 198 vulnerabilities requiring customer action, 32 rated critical and 166 important, breaking the previous record of 167 CVEs set in October 2025. Before getting into this month is worth reviewing CVE-2026-41089, the Netlogon remote code execution flaw patched on May 12, was confirmed as actively exploited in the wild on June 1. The fix ships in both the May 12 update and this month’s June cumulative update so organizations whose domain controllers have neither should deploy whichever package their change process can push as soon as possible.

Why Is This the Biggest Patch Tuesday Ever?

The record volume is worth a moment of analysis before the CVE-by-CVE detail, because it looks less like an anomaly and more like a trend. Security researchers have broadly adopted AI tooling for vulnerability discovery, and the June release carries direct evidence of the shift: Microsoft credits OpenAI’s Codex with reporting CVE-2026-49160, one of this month’s three publicly disclosed zero-days. AI usage among security professionals is increasing and this volume of patches may simply be the new norm, with the trend continuing upward as more capable models become available.

If that read is correct, the knock-on effect for patch management is structural rather than seasonal. AI-assisted research finds more bugs per researcher per month, vendors fix more bugs per cycle, and the operational load of testing and deploying patches grows accordingly. Two hundred CVEs in a month stops being a headline and becomes a planning baseline. Teams sizing their patching process against last year’s volumes are sizing it against a world that no longer exists.

Microsoft Vulnerabilities

None of today’s patches cover vulnerabilities confirmed as actively exploited at release. Elevation of privilege is the dominant category: 65 EoP vulnerabilities, nearly a third of the batch, pointing to continued attacker focus on local privilege escalation as a post-access technique.

One delivery detail for hotpatch-enrolled environments: Microsoft is shipping the June security update as a baseline update rather than a hotpatch for some Windows 11 Enterprise LTSC systems because of a publicly disclosed BitLocker vulnerability, CVE-2026-45585, that cannot be fully remediated through hotpatching. Devices on the hotpatch cadence will take a restart this month. Plan maintenance windows accordingly.

Three publicly disclosed zero-days arrive this month, none confirmed exploited at patch time. CVE-2026-50507 is the fix for YellowKey, the Windows BitLocker bypass published last month with proof-of-concept code by the researcher known as Nightmare Eclipse. The vulnerability let an attacker with physical access hold the CTRL key while booting into Windows Recovery Environment, opening a command shell with full access to BitLocker-protected drives. Affected configurations are TPM-only deployments on Windows 11 and Windows Server 2022 and 2025. Physical access is required, but that is exactly the attack BitLocker is supposed to prevent, and organizations running TPM-only mode for mobile workers or branch office hardware should revisit that configuration now that a working exploit is public. The second BitLocker security feature bypass, CVE-2026-45585, lands in the same release and drove the baseline delivery decision above. Treat both BitLocker fixes as one remediation effort, and pair them with a configuration review of TPM-only deployments.

CVE-2026-49160 patches the HTTP/2 Bomb, a denial-of-service technique disclosed by researchers at offensive security firm Calif.io. The attack abuses HTTP/2’s header compression and flow control to force a server to allocate large amounts of memory against minimal inbound traffic; researchers showed it could take web servers offline in under a minute. Microsoft’s fix covers HTTP.sys and introduces a new MaxHeadersCount registry setting (KB5102602) that caps header count in HTTP/2 and HTTP/3 requests. Internet-facing IIS installations and other Windows-based web services should get this patch quickly, and the registry setting applied on exposed servers as an additional control.

CVE-2026-45586 patches a publicly disclosed elevation of privilege flaw in the Windows Collaborative Translation Framework (CTFMON) that reaches SYSTEM through a link-following weakness. The CTF subsystem runs beneath text services, language bars, and accessibility components throughout Windows. A reliable SYSTEM-level path through that code gets incorporated into post-exploitation toolkits fast once it is public.

The critical RCE picture is dense this cycle. CVE-2026-45648 is a critical remote code execution flaw in Windows Active Directory Domain Services, putting the authentication backbone of every domain-joined environment in scope. Three critical Hyper-V vulnerabilities (CVE-2026-47652, CVE-2026-45641, and CVE-2026-45607) are VM guest-to-host escape flaws that allow code execution on the hypervisor host itself, bypassing workload isolation entirely. Any environment using Hyper-V for hosting or tenant separation should push those patches.

Microsoft Office accounts for a heavy share of the critical RCE count. CVE-2026-45458, CVE-2026-45456, and CVE-2026-47635 are three critical Outlook and Word RCE vulnerabilities exploitable through malicious document delivery, joined by additional critical Office RCE flaws in CVE-2026-45474, CVE-2026-45472, CVE-2026-45463, and CVE-2026-45461. Document-based RCE vulnerabilities in Office move from disclosure to exploitation tooling quickly; revisiting attachment filtering policies for RTF and legacy Office formats is a sensible parallel step while patches are being tested and deployed.

The Remote Desktop Client receives 11 CVEs this month, four rated critical: CVE-2026-44801, CVE-2026-44799, CVE-2026-42992, and CVE-2026-42985. That volume of RDP client research landing in one cycle is worth noting; concentrated investment in RDP attack surface has historically preceded working exploit code.

Exchange Server collects seven CVEs this month: three spoofing vulnerabilities (CVE-2026-45500, CVE-2026-45501, CVE-2026-47631), two information disclosure flaws (CVE-2026-45502, CVE-2026-45503), one elevation of privilege (CVE-2026-45504), and the RCE CVE-2026-45583. On-premises Exchange administrators should treat these as a single update rather than triage them individually; the spoofing and information disclosure bugs are typically the reconnaissance step before eventual code execution, and the full Exchange update closes the chain.

The EoP count deserves specific attention for teams managing post-exploitation risk. The Windows DWM Core Library accounts for 11 EoP CVEs; Windows Ancillary Function Driver for WinSock carries 7; Windows Push Notifications adds 4 more. Two Windows Kernel EoP vulnerabilities, CVE-2026-48583 and CVE-2026-45653, are rated critical. Worth singling out is CVE-2026-44810, a critical flaw in Microsoft Cryptographic Services. An EoP in cryptographic infrastructure can affect trust verification and key management across an environment, not merely escalate one session.

One item specific to healthcare environments: CVE-2026-26142 is a critical RCE in Nuance PowerScribe, the dictation and reporting platform common in radiology departments. Patient data exposure and disruption to diagnostic reporting carry HIPAA breach notification implications. Organizations with PowerScribe in the environment should apply this update.

Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of established best practices and informed judgment. Severity ratings matter, but they are not the whole picture. The gap between vulnerability disclosure and patch deployment factors significantly into real-world exposure. This cycle, prioritization is driven primarily by exploitation status, public proof-of-concept availability, and attack surface breadth.

The table below lists high-priority vulnerabilities from this cycle, one row per CVE, each linked to Microsoft’s release notes for that CVE. The actively exploited Netlogon flaw (CVE-2026-41089) from May leads the list because any organization that has not applied the May cumulative update is facing active attacks against that vulnerability right now.

CVE-2026-41089 (May Patch, June Urgency)

CVE-2026-41089 is a CVSS 9.8 stack-based buffer overflow in Windows Netlogon. An unauthenticated attacker with network access to a domain controller can achieve SYSTEM-level code execution with no credentials and no user interaction required. Belgium’s Centre for Cybersecurity confirmed active exploitation on June 1, three weeks after Microsoft patched it in May with an initial assessment of ‘exploitation less likely.’ Proof-of-concept code is publicly available. Successful exploitation on a domain controller means full Active Directory domain compromise: privileged account creation, credential harvesting, and lateral movement across every system authenticating against that controller. If the May 12 cumulative update has not been applied to domain controllers, that should happen before anything in June’s batch.

Two Deadlines Riding Alongside This Release

Secure Boot Certificate Expiration: 15 Days Left

The Secure Boot certificates that have governed Windows boot security since 2011 begin expiring on June 24. Microsoft Corporation KEK CA 2011 expires June 24, 2026, and Microsoft Corporation UEFI CA 2011 expires June 27. Devices that have not received the 2023 replacement certificates will continue booting and receiving standard Windows updates after those dates, but they permanently lose the ability to receive new boot-level security protections: updates to Windows Boot Manager, Secure Boot databases, and revocation lists that block bootkit malware. Future Windows major version upgrades will also eventually require the 2023 certificate.

The key operational point for MSPs and IT professionals: Windows Server requires manual action to update Secure Boot certificates, unlike Windows PCs, which receive the transition through Controlled Feature Rollout automatically. Server administrators should work through Microsoft’s Windows Server Secure Boot playbook and complete the transition on all Windows Server deployments before June 24. Managed enterprise environments using update rings need to verify completion status across their fleet; incorrect remediation steps can leave systems unbootable, so testing against representative hardware before a broad rollout is essential. This month’s cumulative update also resolves the failures seen when installing KB5089549 on Windows 11 devices with limited EFI System Partition space, directly unblocking the Secure Boot transition on a subset of affected devices.

Defender for Endpoint EDR Updates Decoupled from Patch Tuesday

Microsoft announced on June 8 that Defender for Endpoint EDR sensor updates will no longer be bundled with monthly Windows cumulative updates. Starting with Windows 10 in late May, EDR updates now ship independently through Microsoft Update via KB5005292, with Windows 11 and remaining supported versions to follow by fall 2026.

For environments applying updates automatically through Microsoft Update, no action is needed. The impact falls on shops using manual update package deployment: the new standalone Defender EDR package needs to be included in the deployment process, or the EDR sensor will fall behind the OS patch cycle on its own schedule. MSPs managing endpoint fleets under patching agreements should check their deployment tooling and track the MsSense.exe engine version as a separate compliance signal from OS patch level. The change allows Microsoft to push behavioral detection improvements between Patch Tuesdays, but only in environments where tooling has been updated to handle the new delivery method.

Summary

June 2026 is the largest Patch Tuesday on record: 198 CVEs, 32 critical, three publicly disclosed zero-days, led by the YellowKey BitLocker bypass (CVE-2026-50507), the HTTP/2 Bomb DoS (CVE-2026-49160), and the CTFMON privilege escalation (CVE-2026-45586), with a second BitLocker bypass (CVE-2026-45585) forcing baseline delivery for hotpatch-enrolled Windows 11 Enterprise systems. Critical RCE patches cover Active Directory Domain Services, Hyper-V VM escape paths, Office and Outlook, and 11 Remote Desktop Client vulnerabilities. The May Netlogon flaw (CVE-2026-41089) is under active exploitation and comes before anything in this batch for organizations that have not applied May’s cumulative update. The Secure Boot certificate deadline of June 24 requires immediate manual action on Windows Server, and the Defender EDR decoupling requires teams using manual deployment to update their tooling.

If AI-assisted vulnerability research is driving this volume, and the evidence increasingly says it is, then records like this one will keep falling. The right response is not severity-driven triage at a larger scale; it is prioritization built around exploitation status, public proof-of-concept code, and exposure, executed by tooling and process sized for 200-CVE months. Explore N‑able’s Patch Management capabilities to build the operational capacity this environment demands