Microsoft’s June 2026 Patch Tuesday update is here, and this time it is massive, with fixes released for a whopping 206 security bugs. This includes 33 critical and 167 important vulnerabilities, along with three zero-day flaws that were already public knowledge prior to patching.
Collectively, the update issues patches for bugs found inside a wide range of software, most notably being Windows Media, NTFS, Hyper-V, BitLocker, Bluetooth drivers, Boot Manager, Copilot, and Exchange Server, among others.
Publicly Disclosed Zero-Day Flaws
The three zero-days bear operational risk because their technical details were leaked before updates were ready. Included in these flaws is CVE-2026-49160, a denial-of-service DoS vulnerability inside HTTP.sys that allows attackers to remotely crash targeted Windows servers by sending custom web requests.
CVE-2026-45586 is a privilege escalation vulnerability in the Windows CTFMON service that local attackers can exploit to obtain system-level administrator rights. Third is CVE-2026-50507, a security feature bypass flaw allowing a physical attacker to circumvent Windows BitLocker drive encryption.
Core Windows Kernel Flaws (CVSS 9.8)
Several exploitable core operating system bugs were fixed that could’ve let hackers infiltrate systems without using any passwords, including CVE-2026-45657. It is a use-after-free condition (a memory glitch involving a program accessing data from a deleted slot) that basically lets attackers use specialised network traffic to hack x64 and ARM64 devices/systems running Windows 11 and Windows Server 2022/2025.
Web and Network Stack Issues (CVSS 9.8)
CVE-2026-47291 impacts HTTP.sys, which handles incoming web traffic on Windows PCs. It is an integer overflow bug (where the system receives a number too large to store, causing a crash). By sending a malformed network packet (a corrupted data package), hackers can execute code on Windows 10, 11, and Windows Server (2012-2025) systems using large traffic limits.
Identity Control and Server Automation (CVSS 9.8)
Identity and network configuration systems face major threats this month, especially CVE-2026-41089, which is a stack-based buffer overflow issue (memory overload that releases data outside its boundaries) found within Windows domain controllers.
This flaw gives hackers full control over corporate identity networks. Another bug, tracked as CVE-2026-44815, causes a memory overflow in which the system processes malicious traffic sent to its automatic internet setup service to target enterprise networks running Windows 10.
Healthcare Software Threats (CVSS 9.8)
Hospitals face a direct threat from CVE-2026-26142, a deserialization bug where an application incorrectly decodes raw data and runs hidden commands. It lets network attackers execute code inside medical dictation tools like PowerScribe 360 and PowerScribe One.
Mobile Authentication Exploits (CVSS 9.6)
Smartphones are also a target for data theft with CVE-2026-41615, as it leaks sign-in access tokens on Android and iOS, because of which attackers can send fake requests to steal work credentials if a user taps approve.
Remote Work Risks (CVSS 8.8)
For remote employees, CVE-2026-47289 and CVE-2026-42985 present memory corruption threats as these bugs trigger when a workstation connects to a rogue server that forces a malformed security certificate onto the client machine.
Server Deployment Gaps (CVSS 8.1)
Corporate server setup tools are at risk from CVE-2026-42987. It is a memory bug impacting the OS installation utility on Windows Server 2012-2025. Hackers can exploit a timing race condition (beating a computer’s processing speed to alter its behavior) via malicious TFTP traffic to hijack the server.
File Explorer and Desktop Preview Flaws (CVSS 7.8)
Desktops can be compromised from everyday file viewing because of CVE-2026-44812 and CVE-2026-44803. These allow attackers to run code if a user previews or opens an infected file in Windows File Explorer or Android Office apps.
What to Do
Autonomous patch management experts at Action1 shared a detailed analysis of Microsoft’s Patch Tuesday with Hackread.com, complete with crucial tips for administrators to stay safe, which is available here. It is important to install these updates right away; administrators should patch identity controllers, remote tools, and internet-facing servers first to protect enterprise networks and devices.
Experts’ comments:
Security experts from Action1 shared their perspectives with Hackread.com, outlining the critical nature of this month’s release:
“Microsoft’s June Patch Tuesday is one of the largest in recent memory, addressing 198 vulnerabilities, including 32 critical flaws and three actively exploited zero-days. The unusually high volume reflects a broader shift in vulnerability research, as AI-assisted analysis and initiatives like Mythos enable researchers to identify security flaws faster than ever,” said Jack Bicer, Director of Vulnerability Research at Action1
“With three zero-days already being exploited in the wild, this month’s updates should be treated as a priority, and IT teams should move quickly to assess their exposure and deploy patches across affected systems,” Jack advised.
On the high-priority network risk targeting web infrastructure (CVE-2026-49160), Mike Walters, President and Co-Founder of Action1, explained that “An uncontrolled resource consumption vulnerability in HTTP.sys could allow an unauthenticated attacker to cause a denial of service over the network. The issue affects HTTP/2 handling and can impact system availability without requiring privileges or user interaction.”
While the vulnerability does not expose data or allow code execution, it can disrupt services that depend on affected Windows systems. This patch should be prioritized because exploitation is rated more likely, the vulnerability is network-accessible, and no authentication is required,” Mike added.
On the privilege elevation threat (CVE-2026-45586), Alex Vovk, CEO and Co-Founder of Action1, stated that, “This elevation of privilege vulnerability in Windows Collaborative Translation Framework, also known as CTFMON, could allow a local authenticated attacker to gain SYSTEM privileges. The issue is caused by improper link resolution before file access, also known as link following. A low-privilege foothold can become full system control when Windows follows the wrong link at the wrong time.”
