Stay ahead of critical vulnerabilities with our breakdown of this month's Microsoft security patches.
Release Date: Tuesday, June 9, 2026
Release Time: 10:00 AM PST / 1:00 PM EST / 6:00 PM UTC
Status: Released
Last Updated: June 9, 2026
Microsoft has released its June 2026 Patch Tuesday security updates, addressing an unprecedented 200 vulnerabilities across Windows, Office, Azure, and enterprise products. This is the largest single release of 2026 and includes 3 publicly disclosed zero-day vulnerabilities, 33 critical-severity flaws (28 of which are remote code execution), and a staggering 55 additional RCE vulnerabilities requiring immediate attention.
This release arrives with only 17 days remaining until the absolute Secure Boot certificate expiration deadline on June 26, 2026. Organizations face emergency deployment conditions on the most critical Patch Tuesday of the year.
CRITICAL ALERT:
IMMEDIATE ACTIONS REQUIRED:
With 200 vulnerabilities requiring remediation and Secure Boot lifecycle transition beginning June 25, organizations should prioritize comprehensive patching before the end of June 2026.
June 2026 Patch Tuesday addresses 200 unique CVEs, representing the largest monthly security release in 2026. To understand the scale:
The 200-vulnerability release exceeds the typical monthly average and demands aggressive deployment prioritization. Organizations cannot afford to patch all 200 vulnerabilities with equal attention (time constraints do not permit this). Critical triage is mandatory.
Note: The 200 CVE count excludes:
The 33 critical-severity vulnerabilities represent 16.5% of the total release (higher concentration than typical months). Breaking down the critical flaws:
The overwhelming concentration on RCE vulnerabilities means attackers can achieve code execution with elevated privileges on vulnerable systems across Windows, Office, SharePoint, Azure, and network infrastructure.
Microsoft categorized all 200 CVEs as follows:
The balanced distribution means organizations cannot focus narrowly on a single vulnerability type. Comprehensive deployment of all June patches is required to achieve complete remediation.
CVSS Score: 7.1 (High)
Impact: Elevation from standard user to SYSTEM privileges
Status: Publicly disclosed but not exploited in the wild
Affected Component: Windows Collaborative Translation Framework (CTFMON)
Technical Details:
This vulnerability exists in the Windows Collaborative Translation Framework (CTFMON.exe), a legitimate Windows process responsible for managing input method editors and text services. The vulnerability stems from improper link resolution before file access, allowing an authorized attacker to perform privilege escalation through a symbolic link attack.
Attack Scenario:
Remediation Priority: Important (standard priority despite SYSTEM-level access potential)
CVSS Score: 7.5 (High)
Impact: Server resource exhaustion and denial of service
Status: Publicly disclosed, actively researched but not widely exploited
Affected Component: Windows HTTP.sys (HTTP/2 protocol handling)
Technical Details:
This is the remediation for the "HTTP/2 Bomb" denial of service attack disclosed this month by researchers at Calif. The vulnerability exploits how HTTP/2 compresses and manages web traffic headers, allowing attackers to send minimal data that forces servers to allocate disproportionately large memory amounts.
The attack manipulates HTTP/2 flow-control settings to prevent servers from freeing allocated memory, causing performance degradation or complete outages.
Attack Mechanism:
Mitigation Available:
Microsoft introduced a new registry setting "MaxHeadersCount" to limit the number of headers in HTTP/2 requests. Support article KB5102602 provides detailed configuration guidance.
Remediation Priority: Important (deploy June patches plus implement MaxHeadersCount registry setting)
CVSS Score: 6.4 (Medium)
Impact: Local attacker gains access to BitLocker-encrypted drives
Status: Publicly disclosed but exploitation requires physical access
Affected Component: Windows BitLocker (drives encrypted with TPM-only protection)
Technical Details:
This is Microsoft's patch for the "YellowKey" vulnerability publicly disclosed by security researcher Nightmare Eclipse last month. The vulnerability allows local attackers with physical access to an encrypted drive to bypass BitLocker protection.
The attack exploits Windows Recovery Environment (WinRE) by placing specially crafted files on USB drives or EFI partitions. When users boot into WinRE, holding the CTRL key triggers a command shell with unrestricted access to BitLocker-encrypted drives.
Attack Prerequisites:
Affected Configurations:
Systems using BitLocker with TPM-only protection are vulnerable. Systems with TPM + PIN protection are not affected by this specific vulnerability.
Previously Available Mitigations:
Microsoft provided temporary mitigations including:
June Patch Resolution:
The June patch fixes the underlying vulnerability, eliminating the need for temporary mitigations.
Remediation Priority: Important (particularly for systems with confidential data and limited physical security)
Critical RCE in Remote Desktop Client:
Plus 3 Additional Important-Severity RCE:
Technical Impact:
Remote Desktop Client (mstsc.exe) processes data received from RDP servers. All 10 vulnerabilities stem from insufficient validation of server-provided data, allowing attackers controlling malicious RDP servers to execute arbitrary code on client systems.
Attack Scenario:
Risk Level:
These vulnerabilities represent significant risk because:
Deployment Priority: CRITICAL (deploy Remote Desktop Client updates before other patches)
Critical RCE in Microsoft Office:
Plus 9 Additional Important-Severity Office RCE:
Technical Impact:
Microsoft Office vulnerabilities allow attackers to achieve code execution through specially crafted documents. Most concerning: Excel and Word vulnerabilities can be exploited through the Preview Pane without users explicitly opening files.
Attack Scenario:
Deployment Priority: CRITICAL (Office RCE vulnerabilities create broad enterprise risk)
CVE-2026-44812: Windows Win32K GRFX Remote Code Execution (Critical) CVE-2026-44803: Windows Win32K GRFX Remote Code Execution (Critical)
Technical Impact:
Graphics component vulnerabilities in Windows kernel can be exploited through:
Deployment Priority: CRITICAL (graphics vulnerabilities can be exploited through web browsers and content applications)
Windows Deployment Services (WDS):
Windows DHCP Client:
Active Directory Domain Services:
Azure Kubernetes Service:
Azure Network MANA Driver:
Microsoft Cryptographic Services:
HTTP.sys and Hyper-V:
Windows Kerberos KDC:
Windows Media:
June 9 (Release Day):
June 10:
Aggressive Phased Deployment Strategy:
Wave 1 (Days 1-2): Critical RCE Patches
Wave 2 (Days 3-4): Productivity Applications
Wave 3 (Days 5-7): Server and Infrastructure
Activities:
Secure Boot Certificate Validation: After deploying June patches, verify that the new 2023 Secure Boot certificates have been imported:
# Check if the new Key Exchange Key (KEK) 2023 certificate exists
$kek = Get-SecureBootUEFI KEK
$kekString = [System.Text.Encoding]::ASCII.GetString($kek.bytes)
if ($kekString -match 'Microsoft Corporation KEK 2K CA 2023') {
Write-Host "KEK 2023 certificate successfully imported"
} else {
Write-Host "KEK 2023 certificate NOT found - requires OEM firmware update or manual installation"
}
# Check if the new DB (database) signature 2023 certificate exists
$db = Get-SecureBootUEFI db
$dbString = [System.Text.Encoding]::ASCII.GetString($db.bytes)
if ($dbString -match 'Windows UEFI CA 2023') {
Write-Host "DB 2023 certificate successfully imported"
} else {
Write-Host "DB 2023 certificate NOT found - may require additional updates"
}
Expected result: Both 2023 certificates should be present after successful deployment.
June patches likely include critical Secure Boot dbx (database for revoked signatures) updates. These updates revoke signatures of known-vulnerable boot components but pose deployment risk:
Boot Failure Scenarios:
Mitigation Strategy:
Organizations in critical infrastructure and healthcare face extraordinary pressure:
Organizations in these sectors should:
Windows Operating Systems:
Productivity and Enterprise:
Development Tools:
Cloud and Infrastructure:
Network and Communications:
Specialized Products:
Google released multiple Chrome updates addressing 360 vulnerabilities, including critical security fixes. Microsoft Edge will receive equivalent Chromium-based fixes within 3-7 days. Organizations should coordinate Chrome/Edge updates with Windows patching.
All major vendors released coordinated security updates. Coordinate with Microsoft patches for comprehensive security coverage.
June 9, 2026 Patch Tuesday marks the largest single security release of the year with 200 vulnerabilities requiring attention. Organizations should prioritize deployment systematically while understanding the actual risks and timelines involved.
What Requires Immediate Action:
What Does NOT Require Panic:
Realistic Deployment Goals:
The emphasis should be on systematic, accelerated deployment of the 200 June patches, not panic-driven emergency response. The scale of vulnerabilities warrants urgent action. The Secure Boot certificate lifecycle warrants planning. But neither creates a catastrophic June 26 failure scenario.
For automated patch deployment and comprehensive endpoint management, explore Zecurit Endpoint Manager with integrated patch management, vulnerability scanning, and compliance reporting.
Deployment must begin immediately. Every hour of delay increases organizational risk.
Below is a detailed list of the security patches and CVEs released in this month's Patch. This information is fetched directly from the Microsoft Security Response Center (MSRC) to help you stay protected with the latest patches.
Patch Tuesday is the second Tuesday of each month when Microsoft releases its regular updates for Windows operating systems and other Microsoft products. These updates typically include security patches, bug fixes, and sometimes feature improvements.
Patch Tuesday is crucial for maintaining the security and stability of systems. The updates often address vulnerabilities that could be exploited by attackers, and keeping systems up to date helps protect against these risks.
Microsoft releases Patch Tuesday updates on their website and through Windows Update. For detailed patch notes, you can refer to Microsoft's Security Update Guide or subscribe to update notifications from your device or trusted sources like security blogs.
Yes, you can manually download and install updates through Windows Update, or directly from the Microsoft Update Catalog website, which offers patches for individual downloads.
It’s highly recommended to install all security updates to ensure your system remains protected from known vulnerabilities. However, non-security updates or feature updates might be optional based on your needs.
If you miss a Patch Tuesday update, it’s important to install the updates as soon as possible to avoid potential security risks. Microsoft allows you to download and install any missed updates through Windows Update.
For businesses or IT administrators, you can use Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM), or third-party patch management tools to schedule, approve, and distribute updates across multiple systems.
Not all updates are critical. Patch Tuesday updates include a range of fixes, from critical security patches to optional non-security updates. It’s important to assess which updates are most relevant to your environment.
Failing to apply updates can leave your system vulnerable to exploits and attacks. Many of the updates address critical security flaws that cybercriminals may target, so staying updated is vital for system security.
