Microsoft’s June 2026 Patch Tuesday updates fix roughly 200 vulnerabilities discovered in the company’s products.
None of the flaws addressed this month appears to have been exploited in the wild, but three issues were publicly disclosed before Microsoft patched them.
One of them is CVE-2026-49160, described as a denial-of-service (DoS) issue affecting Windows. This vulnerability is related to HTTP2/Bomb, an attack technique that could affect hundreds of thousands of websites, and which can be used to knock web servers offline in seconds.
Another disclosed vulnerability is CVE-2026-50507, a Windows BitLocker security bypass that can allow an attacker with physical access to the targeted system to access encrypted data.
The security hole may be related to YellowKey, one of the several exploits released by a researcher known online as Chaotic Eclipse and Nightmare Eclipse, who began leaking PoC code after a disagreement with Microsoft. Several of the exploits leaked by the researcher have been exploited in the wild.
The third publicly disclosed vulnerability patched by Microsoft this month is CVE-2026-45586, a Windows Collaborative Translation Framework bug that can be exploited to elevate privileges to System. An anonymous researcher has been credited, and the flaw may be related to the GreenPlasma exploit leaked by Chaotic Eclipse.
All three publicly disclosed issues have been assigned an ‘exploitation more likely’ exploitability assessment by Microsoft.
Nearly 40 of the approximately 200 security holes addressed this month have a ‘critical’ severity rating. They affect Windows, Azure, Office, Outlook, Exchange, and AI tools, and their exploitation can lead to remote code execution, privilege escalation, and information disclosure.
This was Microsoft’s biggest Patch Tuesday to date, which is not surprising, given that the updates came shortly after the company reported significant success in finding vulnerabilities using AI.
In addition to the vulnerabilities that are specific to Microsoft products, the tech giant published advisories for 360 issues affecting third-party components used by its software.
Adobe’s latest Patch Tuesday updates fix more than 120 vulnerabilities.
*updated to add that CVE-2026-45586 may be related to GreenPlasma and that this was a record Patch Tuesday round for Microsoft
Related: Microsoft Tries to Calm Legal Threat Fears After Zero-Day Disclosure Backlash
Related: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk
Related: Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days
