← All articles

Microsoft ships record 200-plus June patches, including three zero-days

Microsoft's June 2026 Patch Tuesday is the largest on record, fixing more than 200 vulnerabilities (independent counts put the total above 206), including three publicly disclosed zero-days that are not yet being exploited. The standout is CVE-2026-45586, a Windows CTFMON elevation-of-privilege flaw that grants SYSTEM access, which matches the GreenPlasma bug a researcher dropped in protest of Microsoft's bug-bounty handling; a BitLocker bypass called YellowKey was also fixed. The update includes 33 critical flaws, most of them remote code execution, hitting Remote Desktop, Hyper-V, Office, and cryptographic services. Microsoft flagged 15 issues as more likely to be exploited soon.

Check
Inventory Windows endpoints and servers against the June 2026 update level, and prioritize systems exposed to Remote Desktop, Hyper-V hosts, and anything processing untrusted Office documents.
Affected
Windows, Office, Remote Desktop Client, Hyper-V, Secure Boot, BitLocker, and Exchange. Three publicly disclosed zero-days (CVE-2026-45586, CVE-2026-50507, CVE-2026-49160) and 33 critical flaws, mostly remote code execution.
Fix
Test and deploy the June 2026 security updates promptly, prioritizing the publicly disclosed zero-days and critical RCE flaws. Where patching lags, restrict RDP exposure and segment Hyper-V hosts.