Microsoft Patch Tuesday June 2026 has just dropped — and it is the largest security update in Microsoft’s history. This month’s rollout addresses 208 vulnerabilities, including a wormable Windows Kernel Remote Code Execution flaw with a CVSS score of 9.8 that every network administrator needs to act on today. If you manage Windows systems, servers, or enterprise networks, this guide breaks down exactly what is critical, what is actively exploited, and what you need to patch first.
Table of Contents
What Is Microsoft Patch Tuesday?
Microsoft Patch Tuesday is the monthly release of security updates published on the second Tuesday of every month. Security teams, system administrators, and IT managers worldwide treat this date as a critical calendar event. Missing it — especially when actively exploited zero-days are involved — can expose organizations to ransomware, data theft, and full network compromise.
June 2026’s Patch Tuesday, published on June 9, 2026, did not just break records on volume. It included 5 publicly disclosed zero-day vulnerabilities and 1 actively exploited in real attacks, making it one of the most dangerous patch cycles since the landmark Log4Shell era.
June 2026 Patch Tuesday: By the Numbers
| Category | Count |
|---|---|
| Total CVEs Addressed | 208 |
| Critical Vulnerabilities | 33 |
| Remote Code Execution (Critical) | 28 |
| Elevation of Privilege (Critical) | 4 |
| Information Disclosure (Critical) | 1 |
| Zero-Days (Publicly Disclosed) | 5 |
| Zero-Days (Actively Exploited) | 1 |
| Previous Record (May 2026) | 138 |
This is not a normal month. The jump from 138 to 208 represents a 51% increase in a single cycle. Microsoft has attributed this acceleration largely to AI-assisted vulnerability discovery tools that are finding software flaws faster than any human researcher pipeline could historically process.
The Most Critical Vulnerabilities — Ranked by Risk
Not every CVE demands the same urgency. Below are the vulnerabilities your security team needs to triage immediately, ordered by practical risk to enterprise networks.
CVE-2026-45657: The Wormable Windows Kernel Flaw (Priority #1)
This is the most dangerous vulnerability in the June 2026 Patch Tuesday release.
CVE-2026-45657 is a use-after-free vulnerability in the Windows Kernel. It carries a CVSS base score of 9.8 — the maximum practical score for a network-reachable flaw. Here is what makes it uniquely dangerous:
- No authentication required. An attacker does not need credentials of any kind.
- No user interaction required. The victim does not need to click anything.
- Network-reachable. An attacker can trigger it remotely by sending specially crafted TCP/IP packets.
- SYSTEM-level code execution. If successfully exploited, an attacker gains the highest privilege level on the operating system.
- Wormable. Security researchers at the Zero Day Initiative have confirmed this flaw’s characteristics allow it to self-propagate across networks — similar in profile to EternalBlue, the vulnerability behind WannaCry.
Affected Systems:
- Windows 11 (versions 23H2, 24H2, 25H2, 26H1) — x64 and ARM64
- Windows Server 2022
- Windows Server 2025 (including Server Core)
Microsoft has listed exploitation as “Less Likely” at this time — however, this designation means only that no public exploit code has been confirmed yet. With a CVSS 9.8 wormable kernel flaw, reverse engineering of the patch is already underway by threat actors globally. The window between patch release and weaponized exploit is shrinking every year.
Action Required: Deploy the June security update to all affected Windows systems immediately. Every hour of delay is a window of exposure.
CVE-2026-47291: HTTP.sys Remote Code Execution
The second CVSS 9.8 vulnerability this month lives in Windows HTTP Protocol Stack (HTTP.sys) — the kernel-mode driver that powers IIS, Windows Remote Management, and dozens of Windows services.
An attacker can send a specially crafted HTTP request to trigger an integer overflow (CWE-190), resulting in remote code execution with no user interaction required. Microsoft has rated this as “Exploitation More Likely” — a stronger warning than CVE-2026-45657.
Temporary Mitigation (if patching is delayed):
Microsoft has published a registry workaround. Systems using the default MaxRequestBytes registry value are not affected. Edit your registry settings as a stopgap while testing the patch.
Who Is at Risk: Any Windows server fronting HTTP traffic — web servers, API gateways, Windows Server endpoints running IIS or WinRM.
🔗 Internal Link Opportunity #1: If your organization runs exposed servers without a hardware firewall in front of them, explore enterprise-grade firewalls at Jazz Cyber Shield — including Fortinet, SonicWall, and WatchGuard appliances that can segment and filter inbound HTTP traffic before it ever reaches a vulnerable Windows stack.
CVE-2026-44815: Windows DHCP Client RCE — Every Endpoint at Risk
CVE-2026-44815 is a stack-based buffer overflow in the Windows DHCP Client service with a CVSS score of 9.8. An attacker positioned on the same network segment can send a malicious DHCP response that triggers code execution on any connected client — without authentication, without user interaction.
This is a LAN-level attack vector, which is why it is particularly dangerous in:
- Office environments with shared wired/wireless networks
- Campus and enterprise networks
- Remote offices without proper network segmentation
If an attacker compromises a single device already inside your network — or gains access through a phishing payload — CVE-2026-44815 can cascade into full lateral movement.
How to Reduce Risk Beyond Patching:
- VLAN segmentation — isolate workstations from servers and IoT devices
- DHCP snooping — enabled on managed switches to validate DHCP responses
- Zero-trust network architecture — do not assume internal traffic is trusted
🔗 Internal Link Opportunity #2: Proper VLAN segmentation requires managed network switches with DHCP snooping support. Browse Jazz Cyber Shield’s Network Switches collection — featuring HPE Aruba, Cisco Catalyst, and enterprise-grade Ruckus options designed for secure network segmentation.
CVE-2026-41091: Microsoft Defender Elevation of Privilege
This flaw is notable because it is already being actively exploited in the wild — making it the one confirmed in-the-wild zero-day of this Patch Tuesday cycle.
CVE-2026-41091 allows a local attacker to elevate privileges to SYSTEM level by exploiting a race condition in Microsoft Defender. The good news: Defender updates itself automatically in most configurations. The bad news: isolated environments, air-gapped systems, or misconfigured endpoints may not have received the update automatically.
Multiple independent researchers were credited for reporting this flaw — typically an indicator that it has been observed across multiple threat actor campaigns, not just theoretical research.
Action: Verify the latest Defender platform version (4.18.26040.1011 or later) is deployed across your entire fleet.
CVE-2026-45585 & CVE-2026-45586: BitLocker and CTFMON Zero-Days
These two publicly disclosed zero-days were linked to the security researcher known as Nightmare Eclipse, who has released a series of Windows exploit chains in 2026.
CVE-2026-45585 (“YellowKey”) — a BitLocker Security Feature Bypass. An attacker with physical access can place crafted files on a USB drive or EFI partition, boot into the Windows Recovery Environment, and gain unrestricted access to BitLocker-encrypted data.
CVE-2026-45586 (“GreenPlasma”) — a Windows CTFMON Elevation of Privilege. Exploiting this flaw allows an attacker to obtain a SYSTEM-level shell. This has been chained with other exploits in multi-stage attack scenarios.
For organizations protecting laptops, remote worker devices, or any BitLocker-encrypted endpoint, patch before any device leaves physical premises.
Why Is Microsoft Patching Record Numbers of Vulnerabilities in 2026?
The volume of Microsoft Patch Tuesday CVEs has escalated dramatically throughout 2025 and 2026. May 2026 saw 138 CVEs — itself a high watermark. June 2026 broke that record with 208.
Microsoft has acknowledged the trend publicly: AI-assisted vulnerability discovery is finding software flaws at a rate that far exceeds historical human-researcher throughput. Microsoft’s own multi-model scanning systems, combined with third-party AI tools and external AI security models, are surfacing vulnerabilities in legacy codebases that would have gone undetected for years under traditional manual auditing.
As one Microsoft executive framed it: the proverbial box has been opened. As AI models become more advanced, monthly CVE counts are expected to continue rising — across Microsoft and across the entire software industry.
This means the patch management discipline your organization maintains today will become exponentially more critical over the next 24 months.
How to Protect Your Network Right Now
Beyond patching, organizations need layered defenses. A single missed patch in a sprawling enterprise is almost inevitable. The question is: what stops exploitation even when a vulnerable system exists?
1. Next-Generation Firewalls (NGFWs)
A properly configured NGFW with deep packet inspection can detect and block exploit traffic patterns associated with known CVEs — even before patches are deployed. Fortinet FortiGate, SonicWall TZ/NSa series, and WatchGuard Firebox appliances all include IPS (Intrusion Prevention System) signatures that are updated continuously as new CVEs emerge.
2. Network Segmentation
Separate your attack surface. Workstations, servers, IoT devices, and guest networks should never share the same broadcast domain. Managed switches with VLAN support are the foundation of this architecture.
3. Endpoint Detection and Response (EDR)
Behavioral-based EDR solutions can detect post-exploitation activity — privilege escalation attempts, lateral movement — even when the initial exploit itself was not blocked.
4. Patch Management Automation
Manual patching at enterprise scale is not reliable. Solutions like Microsoft WSUS, Intune, or third-party patch management platforms can ensure critical updates reach every endpoint within hours of release.
🔗 Internal Link Opportunity #3: Read our complete guide to network security fundamentals — covering VLANs, firewall configuration, and switch security for SMBs and enterprise IT teams.
Patching Priority Checklist for IT Administrators
Use this checklist to triage the June 2026 Patch Tuesday updates in order of urgency:
Patch Immediately (Within 24 Hours):
- ☐ CVE-2026-45657 — Windows Kernel RCE (CVSS 9.8, wormable) — all supported Windows 11 and Server versions
- ☐ CVE-2026-47291 — HTTP.sys RCE (CVSS 9.8, “Exploitation More Likely”) — apply registry mitigation first if patching is delayed
- ☐ CVE-2026-44815 — DHCP Client RCE (CVSS 9.8) — all endpoints
- ☐ CVE-2026-41091 — Defender EoP (actively exploited) — verify auto-update or apply manually in isolated environments
Patch Within 48–72 Hours:
- ☐ CVE-2026-45585 — BitLocker Bypass (“YellowKey”) — before any device leaves physical control
- ☐ CVE-2026-45586 — CTFMON EoP (“GreenPlasma”) — all Windows endpoints
- ☐ CVE-2026-42897 — Exchange Server RCE (actively exploited) — apply immediately
Patch Within One Week:
- ☐ Remaining Critical RCEs: Active Directory Domain Services (CVE-2026-45648), Azure Kubernetes Service (CVE-2026-32193), Remote Desktop Client cluster
- ☐ All remaining Important-rated updates through standard patch management cycle
FAQ: Microsoft Patch Tuesday June 2026
Q: Is CVE-2026-45657 being actively exploited right now?
As of June 12, 2026, Microsoft has not confirmed active exploitation. However, the wormable CVSS 9.8 profile means threat actors are actively developing exploit code from the public patch. Time to exploitation for high-profile CVEs has compressed significantly in 2026.
Q: Does this affect home users or only enterprise systems?
CVE-2026-45657 affects Windows 11 — which means home users running supported Windows versions are also affected. Windows Update should apply the patch automatically if configured correctly.
Q: What is the difference between “Exploitation More Likely” and “Exploitation Less Likely”?
Microsoft’s Exploitability Index reflects the probability of functional exploit code being developed within 30 days of disclosure. “More Likely” means Microsoft assesses a high chance of weaponization; “Less Likely” still means exploitation is possible — particularly for high-CVSS flaws attracting intense researcher attention.
Q: Should I prioritize patching over system stability testing?
For CVSS 9.8 network-reachable vulnerabilities — especially wormable ones — the risk of not patching exceeds the risk of patch-related instability. Apply emergency patches to internet-facing systems first, then roll out to the rest of the fleet with normal testing cycles.
Q: Why did the CVE count jump so dramatically in June 2026?
Microsoft has publicly stated that AI-assisted vulnerability discovery tools are finding flaws at unprecedented rates. This trend is expected to continue and accelerate.
Final Thoughts
Microsoft Patch Tuesday June 2026 is not a month to defer. With a wormable CVSS 9.8 Windows Kernel flaw, three additional CVSS 9.8 vulnerabilities, and one actively exploited zero-day already in circulation, this update cycle represents genuine enterprise-level risk. The combination of AI-accelerated vulnerability discovery and increasingly sophisticated threat actors means the window between patch release and weaponized exploit is narrower than ever.
Patch CVE-2026-45657 today. Apply the HTTP.sys registry mitigation if patching cannot begin immediately. Verify Defender is current. Then work through the rest of the checklist methodically.
Your network perimeter is only as strong as your slowest patch cycle.
Sources: Zero Day Initiative, BleepingComputer, CrowdStrike, Cisco Talos Intelligence, CISA Known Exploited Vulnerabilities Catalog, Microsoft Security Response Center
