June\u2019s Patch Tuesday<\/a> arrives as the largest release in the history of the program with 198 vulnerabilities requiring customer action, 32 rated critical and 166 important, breaking the previous record of 167 CVEs set in October 2025. Before getting into this month is worth reviewing CVE-2026-41089<\/a>, the Netlogon remote code execution flaw patched on May 12, was confirmed as actively exploited in the wild on June 1. The fix ships in both the May 12 update and this month\u2019s June cumulative update so organizations whose domain controllers have neither should deploy whichever package their change process can push as soon as possible. <\/p>\n The record volume is worth a moment of analysis before the CVE-by-CVE detail, because it looks less like an anomaly and more like a trend. Security researchers have broadly adopted AI tooling for vulnerability discovery, and the June release carries direct evidence of the shift: Microsoft credits OpenAI\u2019s Codex with reporting CVE-2026-49160<\/a>, one of this month\u2019s three publicly disclosed zero-days. AI usage among security professionals is increasing and this volume of patches may simply be the new norm, with the trend continuing upward as more capable models become available. <\/p>\n If that read is correct, the knock-on effect for patch management is structural rather than seasonal. AI-assisted research finds more bugs per researcher per month, vendors fix more bugs per cycle, and the operational load of testing and deploying patches grows accordingly. Two hundred CVEs in a month stops being a headline and becomes a planning baseline. Teams sizing their patching process against last year\u2019s volumes are sizing it against a world that no longer exists. <\/p>\n None of today\u2019s patches cover vulnerabilities confirmed as actively exploited at release. Elevation of privilege is the dominant category: 65 EoP vulnerabilities, nearly a third of the batch, pointing to continued attacker focus on local privilege escalation as a post-access technique. <\/p>\n One delivery detail for hotpatch-enrolled environments: Microsoft is shipping the June security update as a baseline update rather than a hotpatch for some Windows 11 Enterprise LTSC systems because of a publicly disclosed BitLocker vulnerability, CVE-2026-45585<\/a>, that cannot be fully remediated through hotpatching. Devices on the hotpatch cadence will take a restart this month. Plan maintenance windows accordingly. <\/p>\n Three publicly disclosed zero-days arrive this month, none confirmed exploited at patch time. CVE-2026-50507<\/a> is the fix for YellowKey<\/a>, the Windows BitLocker bypass published last month with proof-of-concept code by the researcher known as Nightmare Eclipse. The vulnerability let an attacker with physical access hold the CTRL key while booting into Windows Recovery Environment, opening a command shell with full access to BitLocker-protected drives. Affected configurations are TPM-only deployments on Windows 11 and Windows Server 2022 and 2025. Physical access is required, but that is exactly the attack BitLocker is supposed to prevent, and organizations running TPM-only mode for mobile workers or branch office hardware should revisit that configuration now that a working exploit is public. The second BitLocker security feature bypass, CVE-2026-45585<\/a>, lands in the same release and drove the baseline delivery decision above. Treat both BitLocker fixes as one remediation effort, and pair them with a configuration review of TPM-only deployments. <\/p>\n CVE-2026-49160<\/a> patches the HTTP\/2 Bomb<\/a>, a denial-of-service technique disclosed by researchers at offensive security firm Calif.io. The attack abuses HTTP\/2\u2019s header compression and flow control to force a server to allocate large amounts of memory against minimal inbound traffic; researchers showed it could take web servers offline in under a minute. Microsoft\u2019s fix covers HTTP.sys and introduces a new MaxHeadersCount registry setting (KB5102602) that caps header count in HTTP\/2 and HTTP\/3 requests. Internet-facing IIS installations and other Windows-based web services should get this patch quickly, and the registry setting applied on exposed servers as an additional control. <\/p>\n CVE-2026-45586<\/a> patches a publicly disclosed elevation of privilege flaw in the Windows Collaborative Translation Framework (CTFMON) that reaches SYSTEM through a link-following weakness. The CTF subsystem runs beneath text services, language bars, and accessibility components throughout Windows. A reliable SYSTEM-level path through that code gets incorporated into post-exploitation toolkits fast once it is public. <\/p>\n The critical RCE picture is dense this cycle. CVE-2026-45648<\/a> is a critical remote code execution flaw in Windows Active Directory Domain Services, putting the authentication backbone of every domain-joined environment in scope. Three critical Hyper-V vulnerabilities (CVE-2026-47652<\/a>, CVE-2026-45641<\/a>, and CVE-2026-45607<\/a>) are VM guest-to-host escape flaws that allow code execution on the hypervisor host itself, bypassing workload isolation entirely. Any environment using Hyper-V for hosting or tenant separation should push those patches. <\/p>\n Microsoft Office accounts for a heavy share of the critical RCE count. CVE-2026-45458<\/a>, CVE-2026-45456<\/a>, and CVE-2026-47635<\/a> are three critical Outlook and Word RCE vulnerabilities exploitable through malicious document delivery, joined by additional critical Office RCE flaws in CVE-2026-45474<\/a>, CVE-2026-45472<\/a>, CVE-2026-45463<\/a>, and CVE-2026-45461<\/a>. Document-based RCE vulnerabilities in Office move from disclosure to exploitation tooling quickly; revisiting attachment filtering policies for RTF and legacy Office formats is a sensible parallel step while patches are being tested and deployed. <\/p>\n The Remote Desktop Client receives 11 CVEs this month, four rated critical: CVE-2026-44801<\/a>, CVE-2026-44799<\/a>, CVE-2026-42992<\/a>, and CVE-2026-42985<\/a>. That volume of RDP client research landing in one cycle is worth noting; concentrated investment in RDP attack surface has historically preceded working exploit code. <\/p>\n Exchange Server collects seven CVEs this month: three spoofing vulnerabilities (CVE-2026-45500<\/a>, CVE-2026-45501<\/a>, CVE-2026-47631<\/a>), two information disclosure flaws (CVE-2026-45502<\/a>, CVE-2026-45503<\/a>), one elevation of privilege (CVE-2026-45504<\/a>), and the RCE CVE-2026-45583<\/a>. On-premises Exchange administrators should treat these as a single update rather than triage them individually; the spoofing and information disclosure bugs are typically the reconnaissance step before eventual code execution, and the full Exchange update closes the chain. <\/p>\n The EoP count deserves specific attention for teams managing post-exploitation risk. The Windows DWM Core Library accounts for 11 EoP CVEs; Windows Ancillary Function Driver for WinSock carries 7; Windows Push Notifications adds 4 more. Two Windows Kernel EoP vulnerabilities, CVE-2026-48583<\/a> and CVE-2026-45653<\/a>, are rated critical. Worth singling out is CVE-2026-44810<\/a>, a critical flaw in Microsoft Cryptographic Services. An EoP in cryptographic infrastructure can affect trust verification and key management across an environment, not merely escalate one session. <\/p>\nWhy Is This the Biggest Patch Tuesday Ever?<\/h2>\n
Microsoft Vulnerabilities<\/h2>\n