Microsoft ships record 200-plus June patches, including three zero-days
Microsoft's June 2026 Patch Tuesday is the largest on record, fixing more than 200 vulnerabilities (independent counts put the total above 206), including three publicly disclosed zero-days that are not yet being exploited. The standout is CVE-2026-45586, a Windows CTFMON elevation-of-privilege flaw that grants SYSTEM access, which matches the GreenPlasma bug a researcher dropped in protest of Microsoft's bug-bounty handling; a BitLocker bypass called YellowKey was also fixed. The update includes 33 critical flaws, most of them remote code execution, hitting Remote Desktop, Hyper-V, Office, and cryptographic services. Microsoft flagged 15 issues as more likely to be exploited soon.
- Check
- Inventory Windows endpoints and servers against the June 2026 update level, and prioritize systems exposed to Remote Desktop, Hyper-V hosts, and anything processing untrusted Office documents.
- Affected
- Windows, Office, Remote Desktop Client, Hyper-V, Secure Boot, BitLocker, and Exchange. Three publicly disclosed zero-days (CVE-2026-45586, CVE-2026-50507, CVE-2026-49160) and 33 critical flaws, mostly remote code execution.
- Fix
- Test and deploy the June 2026 security updates promptly, prioritizing the publicly disclosed zero-days and critical RCE flaws. Where patching lags, restrict RDP exposure and segment Hyper-V hosts.