Microsoft June 2026 Patch Tuesday Fixes 206 Flaws and 3 Zero-Days

Summary

Microsoft's June 2026 Patch Tuesday addresses a significant number of vulnerabilities, totaling 206. Among these are three zero-day flaws that were publicly known before the patches were released, posing an immediate operational risk. The update also includes numerous critical and important vulnerabilities affecting core Windows components, network services, and specific applications like Exchange Server and healthcare dictation tools.

Full text

Security MicrosoftMicrosoft June 2026 Patch Tuesday Fixes 206 Flaws and 3 Zero-Days Microsoft’s June 2026 patch Tuesday resolves 206 vulnerabilities, including 3 critical zero-days and severe 9.8 CVSS kernel, network and HTTP.sys flaws. byDeeba AhmedJune 10, 20264 minute read Microsoft’s June 2026 Patch Tuesday update is here, and this time it is massive, with fixes released for a whopping 206 security bugs. This includes 33 critical and 167 important vulnerabilities, along with three zero-day flaws that were already public knowledge prior to patching. Collectively, the update issues patches for bugs found inside a wide range of software, most notably being Windows Media, NTFS, Hyper-V, BitLocker, Bluetooth drivers, Boot Manager, Copilot, and Exchange Server, among others. Publicly Disclosed Zero-Day Flaws The three zero-days bear operational risk because their technical details were leaked before updates were ready. Included in these flaws is CVE-2026-49160, a denial-of-service DoS vulnerability inside HTTP.sys that allows attackers to remotely crash targeted Windows servers by sending custom web requests. CVE-2026-45586 is a privilege escalation vulnerability in the Windows CTFMON service that local attackers can exploit to obtain system-level administrator rights. Third is CVE-2026-50507, a security feature bypass flaw allowing a physical attacker to circumvent Windows BitLocker drive encryption. Core Windows Kernel Flaws (CVSS 9.8) Several exploitable core operating system bugs were fixed that could’ve let hackers infiltrate systems without using any passwords, including CVE-2026-45657. It is a use-after-free condition (a memory glitch involving a program accessing data from a deleted slot) that basically lets attackers use specialised network traffic to hack x64 and ARM64 devices/systems running Windows 11 and Windows Server 2022/2025. Web and Network Stack Issues (CVSS 9.8) CVE-2026-47291 impacts HTTP.sys, which handles incoming web traffic on Windows PCs. It is an integer overflow bug (where the system receives a number too large to store, causing a crash). By sending a malformed network packet (a corrupted data package), hackers can execute code on Windows 10, 11, and Windows Server (2012-2025) systems using large traffic limits. Identity Control and Server Automation (CVSS 9.8) Identity and network configuration systems face major threats this month, especially CVE-2026-41089, which is a stack-based buffer overflow issue (memory overload that releases data outside its boundaries) found within Windows domain controllers. This flaw gives hackers full control over corporate identity networks. Another bug, tracked as CVE-2026-44815, causes a memory overflow in which the system processes malicious traffic sent to its automatic internet setup service to target enterprise networks running Windows 10. Healthcare Software Threats (CVSS 9.8) Hospitals face a direct threat from CVE-2026-26142, a deserialization bug where an application incorrectly decodes raw data and runs hidden commands. It lets network attackers execute code inside medical dictation tools like PowerScribe 360 and PowerScribe One. Mobile Authentication Exploits (CVSS 9.6) Smartphones are also a target for data theft with CVE-2026-41615, as it leaks sign-in access tokens on Android and iOS, because of which attackers can send fake requests to steal work credentials if a user taps approve. Remote Work Risks (CVSS 8.8) For remote employees, CVE-2026-47289 and CVE-2026-42985 present memory corruption threats as these bugs trigger when a workstation connects to a rogue server that forces a malformed security certificate onto the client machine. Server Deployment Gaps (CVSS 8.1) Corporate server setup tools are at risk from CVE-2026-42987. It is a memory bug impacting the OS installation utility on Windows Server 2012-2025. Hackers can exploit a timing race condition (beating a computer’s processing speed to alter its behavior) via malicious TFTP traffic to hijack the server. File Explorer and Desktop Preview Flaws (CVSS 7.8) Desktops can be compromised from everyday file viewing because of CVE-2026-44812 and CVE-2026-44803. These allow attackers to run code if a user previews or opens an infected file in Windows File Explorer or Android Office apps. What to Do Autonomous patch management experts at Action1 shared a detailed analysis of Microsoft’s Patch Tuesday with Hackread.com, complete with crucial tips for administrators to stay safe, which is available here. It is important to install these updates right away; administrators should patch identity controllers, remote tools, and internet-facing servers first to protect enterprise networks and devices. Experts’ comments: Security experts from Action1 shared their perspectives with Hackread.com, outlining the critical nature of this month’s release: “Microsoft’s June Patch Tuesday is one of the largest in recent memory, addressing 198 vulnerabilities, including 32 critical flaws and three actively exploited zero-days. The unusually high volume reflects a broader shift in vulnerability research, as AI-assisted analysis and initiatives like Mythos enable researchers to identify security flaws faster than ever,” said Jack Bicer, Director of Vulnerability Research at Action1 “With three zero-days already being exploited in the wild, this month’s updates should be treated as a priority, and IT teams should move quickly to assess their exposure and deploy patches across affected systems,” Jack advised. On the high-priority network risk targeting web infrastructure (CVE-2026-49160), Mike Walters, President and Co-Founder of Action1, explained that “An uncontrolled resource consumption vulnerability in HTTP.sys could allow an unauthenticated attacker to cause a denial of service over the network. The issue affects HTTP/2 handling and can impact system availability without requiring privileges or user interaction.” While the vulnerability does not expose data or allow code execution, it can disrupt services that depend on affected Windows systems. This patch should be prioritized because exploitation is rated more likely, the vulnerability is network-accessible, and no authentication is required,” Mike added. On the privilege elevation threat (CVE-2026-45586), Alex Vovk, CEO and Co-Founder of Action1, stated that, “This elevation of privilege vulnerability in Windows Collaborative Translation Framework, also known as CTFMON, could allow a local authenticated attacker to gain SYSTEM privileges. The issue is caused by improper link resolution before file access, also known as link following. A low-privilege foothold can become full system control when Windows follows the wrong link at the wrong time.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts 0dayCybersecurityMicrosoftPatch TuesdayVulnerabilityWindows Leave a Reply Cancel reply View Comments (0) Related Posts Security 17-year-old finds screen lock bypass vulnerability in Signal app for iOS The encrypted messaging app Signal is Edward Snowden’s favorite app. Leonardo Porpora (pseudonym n0sign4l), a 17-year-old high school student… byWaqas Malware Phishing Scam Security Windows finger command abused to download MineBridge backdoor A new phishing campaign has been identified which uses the Windows Finger command to download a malware variant called MineBridge. byHabiba Rashid Security Hacking News Watch Security Researcher As She Hacks ATM by Drilling a Hole ATMs (automated teller machines) have remained a preferred target of hackers around the world. Last year, ATMs in… byWaqas Apple News iPhone Security Technology Researchers Find Technique to Bypass iPhone Lockscreen Researchers at MDSec, an IT security firm, have identified a method that allows thieves and hackers to by

Indicators of Compromise

• cve — CVE-2026-49160
• cve — CVE-2026-45586
• cve — CVE-2026-50507
• cve — CVE-2026-45657
• cve — CVE-2026-47291
• cve — CVE-2026-41089
• cve — CVE-2026-44815
• cve — CVE-2026-26142
• cve — CVE-2026-41615
• cve — CVE-2026-47289
• cve — CVE-2026-42985
• cve — CVE-2026-42987

Entities