Patch Tuesday

June 2026 Patch Tuesday: A Record 206 Updates, Three Disclosed Zero-Days

By ·

June 2026 Patch Tuesday hero - dark navy and gold Readiness-branded card with the headline 206 updates, three publicly disclosed zero-days, a record Remote Desktop Client cluster and seven Office Preview Pane RCEs across Windows and Office.

June 2026 Patch Tuesday at a Glance

This June 2026 Patch Tuesday roundup was first published at Computerworld on 12 June 2026 - “For June, Patch Tuesday means an IT scramble”. The version below mirrors that piece, lightly tuned for the Readiness house voice and re-linked to the underlying MSRC and KB sources.

Microsoft this week released 206 updates affecting Windows, Office, Exchange Server, and its developer tools, with no updates for SQL Server. May’s zero-day-free run ends quietly rather than loudly: three vulnerabilities arrive publicly disclosed this patch cycle — an elevation of privilege in the Collaborative Translation Framework (CVE-2026-45586), a denial of service in HTTP.sys (CVE-2026-49160), and a BitLocker security feature bypass (CVE-2026-50507) — though none were under active exploitation at publication. All three are rated “Exploitation More Likely,” and all three are Windows.

Even without an exploited zero-day, the June 2026 Patch Tuesday release earns Patch Now recommendations for Windows, Office, and Exchange. Exchange Server returns after a month away with a consolidated security update that Microsoft recommends installing “as soon as possible.” The Readiness team suggests that testing start with domain controllers, Hyper-V hosts, anything self-hosting on HTTP.sys, and Outlook-heavy desktops — in that order. To help navigate this month’s changes, the Readiness team has provided a helpful infographic detailing the risks of deploying the updates to each platform.

Known Issues

This June release note from Microsoft flags known issues against three updates:

  • KB5094128 — BitLocker recovery prompt on first restart (Windows Server 2022). The PCR7 condition we have tracked since April is still live on the platforms that did not receive May’s Boot Manager servicing fix. Devices with BitLocker enabled on the OS drive, the Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” set with PCR7 included, and System Information reporting Secure Boot State PCR7 Binding as “Not Possible” may prompt for the recovery key on the first restart after installing this update.
  • KB5094127 — Windows 10 21H2/22H2. The release note carries a known-issue flag here too, and Windows 10 sits in the same boat as Server 2022: it has not received the Boot Manager servicing improvement that closed the BitLocker/PCR7 recovery condition on Windows 11, so the same Group Policy configuration remains the trigger to check before deployment.
  • KB5094125/KB5094128 — WSUS synchronisation error details suppressed (Windows Server 2025 and 2022). WSUS no longer displays synchronisation error details in its error reporting. This is deliberate: the functionality was “temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.” Microsoft offers no workaround.

One continuing advisory from May also remains in effect: Windows Update can still replace manually installed graphics drivers with older OEM versions from the Windows Update catalogue.

Major Revisions and Mitigations

Unlike last month’s quiet window, this June patch cycle delivered two genuine revisions and a cluster of out-of-band fixes that require customer action:

  • Microsoft Teams Spoofing (CVE-2026-32185) — revised to version 3.0 on 21 May. Microsoft announced the availability of the security update for Teams for Android; customers running affected versions should install the update. The desktop and iOS fixes shipped earlier; if your mobile fleet runs Android, this is the action item.
  • Microsoft Defender out-of-band cluster (19–21 May) — a Critical remote code execution flaw (CVE-2026-45584) plus an elevation of privilege (CVE-2026-41091) and a denial of service (CVE-2026-45498).
  • SharePoint RCE (CVE-2026-45659) — a separate out-of-band SharePoint fix published 21 May. SharePoint administrators had three distinct security notices in a fortnight. The Readiness team recommends that these clustered but separate patches be deployed as a single unit.

Interestingly (for the patch dudes out there), there were two omissions from May’s Patch Tuesday release list:

  • SharePoint Server RCE (CVE-2026-47294) — published 29 May with the note that it “was addressed by updates that were released in May 2026, but the CVE was inadvertently omitted from the May 2026 Security Updates.”
  • Windows DWM Core Library Information Disclosure (CVE-2026-48566) — also fixed in May, also left off the May list.

That makes two months running (May’s Windows Admin Center CVE had the same history): the Patch Tuesday list is never final. The June release itself also carried a substantive revision worth calling out:

  • Remote Desktop cluster re-issued for Windows 11 26H1 — five RDP/RDS CVEs from 2024–2025, including two Critical RCEs (CVE-2024-49123, CVE-2024-49132) and the RDP Server RCE (CVE-2024-43582). If you are piloting 26H1, the June cumulative is what closes these older CVEs on that platform.

Windows Lifecycle and Enforcement Updates

Given the month SharePoint just had — three security notices in a fortnight, including a CVE omitted from the May list — SharePoint 2016/2019 estates are taking some of the cycle’s most active patching on a platform with one update left. If migration is not already in progress, July’s final update is the deadline. Here are the other key dates to keep in mind:

  • The 2011 KEK CA expires this month (24 June 2026), and the UEFI CA for third-party boot loaders follows on 27 June 2026, with the Windows Production PCA for the boot manager behind them on 19 October 2026. Devices that have not taken the Windows UEFI CA 2023 key updates under CVE-2023-24932 lose the ability to receive updated boot components once the certificates lapse. This is a big deal.
  • 14 July 2026 end of support — one Patch Tuesday away. SharePoint Server 2016 and 2019, Project Server 2016 and 2019, SQL Server 2016, and SQL Server 2014 ESU Year 2 all reach end of support on 14 July (InfoPath 2013, SharePoint Designer 2013, and Visual Studio 2022 17.12 LTSC go with them).
  • Kerberos RC4 hardening (CVE-2026-20833) moves from default-hardening to its enforcement phase in July 2026. Accounts still depending on RC4 service tickets have weeks, not months.
  • The graphics-driver targeting change (four-part to two-part Hardware IDs) pilots to September 2026, with broader enforcement planned for Q4 2026 to Q1 2027; until then, Windows Update can still downgrade manually installed display drivers.

Microsoft’s June 2026 Patch Tuesday is a security-only release with a clear feature focus: the Remote Desktop client. The Remote Desktop ActiveX control (mstscax.dll) is the most-patched component this cycle with five separate updates, and it carries the month’s single High Risk flag, on printer redirection. The secondary theme is Windows authentication, with three updates to the NTLM security package. Every Windows binary this month reports no functional changes, so the work is pure regression validation. Lower-risk patches reach DHCP, telephony, Hyper-V, UDF and Projected File System storage, and the graphics stack.

Remote Desktop Client

The Remote Desktop client (mstscax.dll) draws the most fixes this month, and the High Risk flag lands specifically on printer redirection — the path that maps a client’s local printers into a remote session. A regression here typically shows as missing redirected printers, failed print jobs, or a hang on connect or reconnect. The wider Remote Desktop stack is also updated, including RemoteApp and clipboard redirection (rdpclip.exe, RdpCoreTS.dll) and Remote Desktop Licensing (lserver.dll), so validate connection, session, and licensing together.

A passing run is a remote session that connects, redirects printers, prints, and survives a reconnect with no crashes or missing devices.

  • Connect with Remote Desktop Connection (mstsc.exe) to a test host, enable printer redirection in Local Resources, and confirm redirected printers appear in the session
  • Print a test page from an app in the session to a redirected printer; repeat with two or more client printers installed
  • Disconnect and reconnect the session, then confirm the redirected printers are still present and usable
  • Repeat the printer test in both a full desktop session and a RemoteApp session where used
  • Exercise general remote access: connect through a Remote Desktop Gateway, use VMConnect to reach a VM, and verify clipboard and device redirection
  • On a Remote Desktop Licensing server, confirm clients connect with licensing enabled, across Per User and Per Device modes

Windows Authentication (NTLM)

Three updates touch the NTLM security support provider (msv1_0.dll), the module behind network authentication when Kerberos is not used. Authentication changes are regression-sensitive: the failure modes are logon failures, broken file-share or RDP access, and application sign-in problems. Validate across domain-joined and workgroup machines.

  • Sign in to domain-joined and standalone machines with domain, local, and cached credentials after a reboot
  • Access SMB file shares by host name and IP, including paths that fall back to NTLM, and confirm authenticated reads and writes
  • Authenticate to a Remote Desktop host and to line-of-business applications that rely on integrated Windows authentication
  • Watch the Security event log for new logon-failure or audit anomalies during the test window

Other Windows Components

The remaining updates carry no functional changes, so cover them with routine regression by area.

  • Networking: exercise DHCP lease, renewal, and release on IPv4 and IPv6 (dhcpcore), sustained socket traffic over the WinSock driver (afd.sys, two updates), HTTP.sys request handling under IIS, and TAPI telephony integrations (tapisrv.dll)
  • Virtualisation: boot Generation 1 and Generation 2 VMs, including nested virtualisation, to cover the Hyper-V hypervisor (hvix64/hvax64), and connect a VM through an external virtual switch (toggling NIC RSS) to cover vmswitch.sys
  • Storage and filesystems: read and write UDF-formatted media (udfs.sys), exercise the Projected File System minifilter (prjflt.sys), and validate cloud files hydration and Work Folders sync (cldflt.sys, workfolders.exe), including a ReFS volume with BitLocker enabled
  • Graphics and shell: run GPU-accelerated and 2D rendering workloads to cover Direct2D (d2d1.dll), GDI+ (gdiplus.dll), the Desktop Window Manager (dwmcore.dll), the Windows Imaging Component (windowscodecs.dll), and UI Automation (UiaManager.dll); watch for artefacts and accessibility regressions
  • Notifications and input: open apps that raise toast and push notifications (wpnapps.dll, wpncore.dll) and verify Text Services Framework input across keyboard layouts and IMEs (msctf.dll)

Microsoft Office & SharePoint

June’s Office updates are MSI editions only, released on the 9 June security wave: Excel 2016 (KB5002877), Word 2016 (KB5002879), Office 2016 shared components (KB5002878, KB5002852, and the rich-edit control KB5002578), and Office Online Server 2019 (KB5002875). The shared Office 2016 component updates also apply to the SharePoint Server 2016, 2019, and Subscription Edition baselines. No Critical non-security client release ships this cycle, and Click-to-Run estates are unaffected.

  • Open complex Excel workbooks with formulas, macros, and external data connections; save and reopen to verify integrity
  • Edit Word documents with embedded objects, tracked changes, and rich formatting that exercises the rich-edit control
  • On the SharePoint Server baselines (2016, 2019, Subscription Edition) and Office Online Server, validate document library operations, co-authoring, and browser-based viewing and editing
  • Confirm Office add-ins and line-of-business integrations continue to operate

Developer Tools & Databases

June updates the .NET SDK across the 8.0, 9.0, and 10.0 servicing lines (8.0.422, 9.0.315, 10.0.301), and ships SQL Server GDR security updates spanning SQL Server 2016 SP3 through SQL Server 2025, in both RTM+GDR and cumulative-update+GDR branches.

  • After installing the .NET SDK update, build and run representative applications and confirm existing projects compile and execute normally
  • For SQL Server, install the GDR update onto the matching baseline or cumulative-update branch, then restart the service and run standard transactions
  • Verify a backup and restore, confirm Always On availability groups stay healthy, and test patch install and removal on each servicing branch in use

The Readiness team suggests that this month’s testing lead with Remote Desktop. The client is both the most-patched component and the sole High Risk item, so give it a focused regression pass centred on printer redirection, then broaden to general connectivity, RemoteApp, clipboard and device redirection, gateway access, and licensing. The NTLM authentication updates are the second priority: validate domain and standalone logon, file-share access, and application sign-in. Everything else is a no-functional-change security update, so cover networking, Hyper-V, storage, and graphics with routine regression. Office is MSI-only, with Click-to-Run untouched, and the .NET and SQL Server updates round out the developer and database estate.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

Browsers

For this Patch Tuesday, Microsoft Edge released the stable version (149.0.4022.52) on 4 June, per the Edge security release notes. Nothing ships for Internet Explorer, which remains retired. This cycle is unusually lopsided: just one Edge-engineered CVE against a very large Chromium upstream flow:

  • CVE-2026-47644 - Copilot Chat (Microsoft Edge) - Information disclosure (CVSS 6.5, rated critical). For the second month running, Copilot Chat in Edge supplies the headline browser issue (May’s was CVE-2026-33111); Microsoft addresses the Copilot service component, with the browser update completing the fix.
  • Chromium upstream - 407 CVEs relayed through MSRC this cycle, spanning the weekly Chrome release cadence since the May report: use-after-free, out-of-bounds read/write, type confusion, and policy bypass across V8, Blink, PDFium, WebRTC, ANGLE, and DevTools. The same fixes ship in the Chrome Stable channel; see the Chrome releases blog for the upstream notes.

The Chromium volume looks alarming but is routine plumbing — it flows to Edge through its own auto-update channel. Add these updates to your standard release schedule for Edge-managed environments, and confirm the auto-update channel is active for everything else.

Microsoft Windows

Microsoft addressed 119 vulnerabilities across Windows this month, 22 rated critical and 97 important — nearly double May’s Windows count. Elevation of privilege again dominates by volume (49 entries), followed by remote code execution (28), information disclosure (16), security feature bypass (15), denial of service (6), and a handful of spoofing and tampering entries. All three of June’s publicly disclosed zero-days land here, each flagged “Exploitation More Likely” though none exploited at publication:

  • CVE-2026-45586 - Collaborative Translation Framework (CTFMON) - Elevation of privilege (CVSS 7.8, publicly disclosed).
  • CVE-2026-49160 - HTTP.sys - Denial of service (CVSS 7.5, publicly disclosed).
  • CVE-2026-50507 - BitLocker - Security feature bypass (CVSS 6.8, publicly disclosed) — BitLocker’s third entry this month, keeping it on the radar alongside the PCR7 known issue.

At the feature level, the critical-rated risk concentrates in nine areas:

  • Remote Desktop Client — the largest single cluster: 11 CVEs, 7 rated critical, led by CVE-2026-47289 and CVE-2026-42985 (both CVSS 8.8, the latter “Exploitation More Likely”).
  • Windows Kernel — CVE-2026-45657, remote code execution at CVSS 9.8, the joint-highest Windows score this cycle.
  • HTTP.sys — CVE-2026-47291, unauthenticated remote code execution (CVSS 9.8, “Exploitation More Likely”) in the kernel-mode web server underpinning IIS, WinRM, and anything self-hosting on http.sys — paired with the disclosed DoS above.
  • DHCP Client — CVE-2026-44815, remote code execution at CVSS 9.8.
  • Active Directory Domain Services — CVE-2026-45648, remote code execution (CVSS 8.8) on the directory itself, with the Kerberos KDC adding a separate critical RCE (CVE-2026-47288).
  • Hyper-V — three critical RCEs (CVE-2026-45607, CVE-2026-45641, CVE-2026-47652, up to CVSS 8.4) — guest-to-host risk on virtualisation hosts.
  • Windows Graphics Component — two critical RCEs (CVE-2026-44803, CVE-2026-44812, CVSS 7.8), both “Exploitation More Likely,” both reachable through Office rendering paths.
  • Windows Deployment Services — CVE-2026-42987, remote code execution (CVSS 8.1).
  • Cryptographic Services and Device Health Attestation — critical elevation-of-privilege entries (CVE-2026-44810, CVSS 8.4; CVE-2026-33828, CVSS 7.8) in trust-anchor components.

Given the publicly disclosed vulnerabilities this month, the Readiness team recommends that deployment teams add this Windows update to their Patch Now deployment schedule.

Microsoft Office

Microsoft released 53 Office CVEs this month - 10 critical, 43 important. Remote code execution again leads (24 entries), but the surprise is spoofing at 20 entries, almost all of it SharePoint: SharePoint Server appears in 30 of the 53 CVEs this cycle. The rest split across information disclosure (6), elevation of privilege (2), and a security feature bypass.

Add the June Office updates to your Patch Now deployment schedule, prioritising Outlook-heavy desktops and SharePoint farms.

Microsoft Exchange and SQL Server

The pattern inverts from May’s release: SQL Server receives nothing (no patches at all) this month, while Exchange Server — absent in May — returns with a consolidated security update carrying seven CVEs for on-premises builds (Exchange Server 2016 CU23 and Exchange Server 2019), plus one cloud-side critical:

  • CVE-2026-45504 - Exchange Server - Elevation of privilege (CVSS 8.8). The headline on-premises entry.
  • CVE-2026-45503 and CVE-2026-47631 - Exchange Server - Information disclosure and spoofing, each CVSS 8.1.
  • CVE-2026-45583 - Exchange Server - Remote code execution (CVSS 7.5), with three further spoofing/information-disclosure entries (CVE-2026-45500, CVE-2026-45501, CVE-2026-45502) rounding out the set.
  • CVE-2026-48579 - Exchange Online - Information disclosure (CVSS 9.1, rated critical) — addressed service-side, no customer action.

Microsoft also revised the May Exchange spoofing entry (CVE-2026-42897) to point at this same June security update, with the recommendation to install “as soon as possible.” Add the June Exchange SU to your Patch Now schedule.

Developer Tools

Microsoft released 10 CVEs across its developer tooling this month, all rated important — though the top score outranks most of this cycle’s criticals, and the concentration in Visual Studio Code (seven of ten entries) continues last month’s pattern:

  • Visual Studio Code - seven entries led by CVE-2026-47281, an elevation of privilege at CVSS 9.6 — the highest developer-tools score in months. Behind it: CVE-2026-45482, a security feature bypass in the GitHub Copilot Chat extension (CVSS 8.4); CVE-2026-47292, remote code execution in the MSSQL extension (CVSS 7.8); a second elevation of privilege (CVE-2026-40376, CVSS 7.5); and security-feature-bypass, tampering, and information-disclosure entries (CVE-2026-48569, CVE-2026-47287, CVE-2026-47284).
  • Microsoft .NET on Windows has three entries: CVE-2026-45490, a .NET SDK elevation of privilege (CVSS 7.8) across .NET 8.0, 9.0, and 10.0; CVE-2026-45591, an ASP.NET Core denial of service (CVSS 7.5); and CVE-2026-45491, a .NET tampering issue (CVSS 6.2).

Add these Microsoft updates to your standard developer update release schedule.

Adobe (and 3rd Party Updates)

Adobe released APSB26-63 for Acrobat and Reader this cycle, fixing critical code-execution flaws; Adobe reports no exploitation in the wild. Add it to your standard third-party schedule.

Next month may see the retirement of this Adobe-related section, replaced with the third-party updates Microsoft publishes for Patch Tuesday.

#patch-tuesday#windows-11#windows-server#windows-10