GoKawiilMicrosoft's June 2026 Patch Tuesday update with fixes for a record 206 unique CVEs is the latest sign of what is quickly becoming the new normal for organizations as AI accelerates vulnerability discovery.
Three of the flaws in the mammoth update are previously disclosed zero-day bugs. They are part of a broader set of 13 vulnerabilities Microsoft flagged as "Exploitation More Likely," indicating heightened near-term risk for organizations. The update also includes 32 critical-severity vulnerabilities, five of which carry CVSS scores of 9.0 or higher on the 10-point scale.
Three Previously Disclosed and Other High Priority Bugs
As has been the case recently, a high percentage of vulnerabilities in the release are either remote code execution (RCE) vulnerabilities or elevation of privilege (EoP) bugs. Other, relatively less common vulnerability types include those that enable denial-of-service conditions, data theft, and security features bypass.
Related:Microsoft Exchange Flaw Lets Attackers Spoof Any Email Address
Security researchers pointed to the three previously disclosed vulnerabilities as issues meriting immediate attention. The three flaws include CVE-2026-45586 (CVSS: 7.8), an EoP bug in Windows Collaborative Translation Framework (CTFMON) that attackers can exploit to gain SYSTEM level privileges; CVE-2026-49160 (CVSS: 7.5), a denial-of-service bug in Windows.sys; and CVE-2026-50507 (CVSS: 6.8), which enables bypass of Microsoft's BitLocker security feature.
Amol Sarwate, head of security research at Cohesity, flagged two near-maximum severity vulnerabilities in this month's release as top priorities. One is an RCE flaw in Windows HTTP.sys, CVE-2026-47291 (CVSS: 9.8); the other is CVE‑2026‑44815 (CVSS: 9.8) in the Windows DHCP Client service. "CVE-2026-47291 should be of top priority because it allows unauthenticated attackers to remotely achieve full compromise without any user interaction, making it potentially wormable," Sarwate warned in prepared comments. "CVE‑2026‑44815 falls in the same category, as the DHCP Client runs on virtually every Windows endpoint, giving it an enormous attack surface."
Researchers at Action1 included two critical RCE bugs in Windows Graphics Component — CVE-2026-44812 (CVSS: 7.8) and CVE-2026-44803 (CVSS: 7.8) — and CVE-2026-42987 (CVSS: 8.1), an RCE in Windows Deployment Services, as flaws meriting high priority attention. The company described CVE-2026-44812 as the "doorway to full system compromise," and CVE-2026-44803 as enabling a single preview action to "open the door to code execution.”
Related:Russian Attackers Weaponize WinRAR Flaw Against Ukrainian Orgs
Notably, Microsoft's June update did not appear to contain any fixes for multiple vulnerabilities that a disgruntled security researcher known as Nightmare Eclipse disclosed recently. The vulnerabilities tracked as YellowKey, GreenPlasma, and MiniPlasma enable a range of malicious actions including security feature bypass and privilege escalation.
... continue reading