Microsoft Patch Tuesday June 2026: 211 Fixes & Critical Risks

Patch Tuesday June 2026: What you need to know now

June’s Patch Tuesday is not defined by a single wormable vulnerability or one headline grabbing Remote Code Execution flaw, this month is massive because of scale, breadth, and the way vulnerabilities align with modern enterprise attack chain.

Quick Stats

 211 Fixes in Total (Largest ever)

 Critical: 37 (Largest ever)

 Important: 170 (Largest ever)

This release spans Windows, Office, SharePoint, Exchange, Remote Desktop, Hyper-V, Active Directory Domain Services, Defender, BitLocker, Visual Studio Code, Copilot, SQL Server, Azure services, and core operating system components.  The pattern is clear, attackers are not simply searching for one critical vulnerability anymore, they are increasingly assembling reliable attack chains across trusted enterprise platforms. We have been discussing this trend for a while now.

Attack Chains Are Being Assembled, Not Just Exploited

One of the clearest themes this month is how many vulnerabilities support different stages of realistic enterprise attack chains. Modern attackers rarely rely on a single vulnerability anymore.  Instead, they combine multiple weaknesses together:

Initial access | Privilege escalation | Security feature bypass | Identity expansion | Lateral movement | Operational disruption

This month includes 54 Remote Code Execution vulnerabilities and 66 Elevation of Privilege vulnerabilities.  That combination matters because Remote Code Execution vulnerabilities often provide the entry point, while Elevation of Privilege vulnerabilities frequently provide the next step attackers need to increase control, bypass restrictions, and move deeper into the environment.

Urgent Risk: HTTP.sys

CVE-2026-47291, a HTTP.sys Remote Code Execution vulnerability, is one of the most important vulnerabilities this month.  It is rated Critical & has a CVSS score of 9.8 and “Exploitation More Likely”. That combination deserves urgent prioritization because it represents exactly the type of vulnerability defenders should never treat as theoretical. Network reachable, high severity, and more likely to be exploited is precisely the pattern that should move rapidly through enterprise remediation processes.

HTTP.sys vulnerabilities are particularly important because they sit close to core Windows networking functionality. Successful exploitation can provide attackers with highly valuable initial access opportunities across exposed systems, in fact you are using HTTP.sys to listen to this video or read my article.

Active Exploitation: Microsoft Defender

CVE-2026-41091 is especially important because it is marked as Exploitation Detected, Weaponized, and Publicly Aware. This is a Microsoft Defender Elevation of Privilege vulnerability.  That makes it strategically significant because security tooling itself forms part of the trusted enterprise defense layer.  When attackers target defensive components, the risk is not only compromise, it is erosion of confidence in the control’s organizations rely on during incident response.  This should be treated as one of the highest priority vulnerabilities this month.

Privilege Escalation Remains the Real Enabler

With 66 Elevation of Privilege vulnerabilities, this release strongly reinforces a trend we have seen across multiple Patch Tuesday cycles. Privilege escalation is not always the headline, but it is frequently what transforms initial access into full enterprise compromise. Several “Exploitation More Likely” vulnerabilities affect deeply trusted Windows components including:

• Windows DWM Core Library
• NT OS Kernel
• Microsoft Graphics Component
• Winlogon
• Windows Collaborative Translation Framework
• Windows Installer
• Function Discovery Services

These are deeply integrated Windows components. Successful exploitation may allow attackers to transition from limited access into privileged system contexts while blending into legitimate operating system behavior. Detection becomes significantly harder when malicious activity resembles trusted system activity.

Windows 10 Exposure Matters More Than Ever

Although organizations continue accelerating Windows 11 adoption, this release is also highly relevant for enterprises still operating large Windows 10 estates. Microsoft continues providing security fixes for Windows 10 21H2 and 22H2, and many of this month’s vulnerabilities affect shared Windows components used across both operating systems. This matters operationally because many enterprises are currently managing mixed Windows 10 and Windows 11 environments during transition periods. These mixed estates often introduce uneven remediation timelines, inconsistent security baselines, and increased operational complexity. Attackers understand this extremely well.

Trusted Platforms Continue to Be Targeted

This release again shows that attackers are increasingly focusing on platforms organizations already trust, notable affected areas include:

• Microsoft SharePoint Server
• Microsoft Exchange Server
• Remote Desktop Client
• Microsoft Office, Word, Excel, and Outlook
• Visual Studio Code
• GitHub Copilot and Visual Studio Code
• Microsoft Copilot
• Active Directory Domain Services
• Hyper-V
• SQL Server

Trusted platforms inherit trust automatically, that is exactly why attackers continue to target them. Compromising these systems can provide access to data, identity, workflows, collaboration, development environments, and administrative operations. Office, SharePoint, and Exchange continue appearing heavily throughout this release.  This matters because these platforms sit directly within enterprise communication, document handling, collaboration, and operational workflows. SharePoint alone appears repeatedly within the release, including spoofing, information disclosure, and Remote Code Execution vulnerabilities.  Exchange also appears multiple times, including important information disclosure and RCE vulnerabilities.

BitLocker appears in several Security Feature Bypass vulnerabilities, including vulnerabilities marked Publicly Aware and Exploitation More Likely. Security Feature Bypass vulnerabilities are sometimes under prioritized because they do not always appear as dramatic as Remote Code Execution vulnerabilities. With more sophisticated attack chains, bypassing security controls can be the difference between a blocked attack and successful compromise.

For CISOs, the question is no longer only: “Can this vulnerability execute code?” BUT “Does this vulnerability weaken a security control I rely on during an attack?”

AI & developer tooling are rapidly becoming operational infrastructure.  They increasingly interact with enterprise data, source code, cloud services, user identities, and automation workflows. Even where individual vulnerabilities are not the highest severity, the strategic trend remains extremely important. The enterprise attack surface continues expanding beyond the traditional endpoint into AI, automation, collaboration, and development ecosystems.

How You Become the Hero This Month

The organizations that stand out will not simply be the ones that patch everything the fastest. They will be the organizations that understand which vulnerabilities create the most realistic enterprise attack paths.

Focus on your unique Patch Risk Profile:

Fast track CVE-2026-47291 because HTTP.sys RCE is Critical, CVSS 9.8, and Exploitation More Likely

Treat CVE-2026-41091 as urgent because exploitation has been detected and it affects Microsoft Defender

Prioritize vulnerabilities marked Exploitation More Likely

Treat Elevation of Privilege vulnerabilities as attack chain enablers

Prioritize Office, SharePoint, Exchange, Remote Desktop, Active Directory, and Hyper-V based if you have higher exposure

Do not ignore Security Feature Bypass vulnerabilities, especially where controls such as BitLocker are involved

Prioritize mixed Windows 10 and Windows 11 environments carefully during transition periods

Evaluate attack chain potential, not just individual CVSS scores

Prioritize resilience alongside prevention. Recovery speed really matters!

Absolute enables organizations to rapidly restore compromised endpoints at scale using firmware embedded persistence and automated rehydration capabilities helping to reduce downtime and operational strain during major incidents.

Patch smart. Build resilience. Happy patching.

See the June 2026 Patch Tuesday Chart (PDF).

Kind Regards

Rob

Patch Tuesday June 2026 FAQs

What is the biggest risk in June 2026 Patch Tuesday?

The biggest risk is the combination of Remote Code Execution and Elevation of Privilege vulnerabilities, which allow attackers to build full attack chains rather than exploit single flaws.

Which CVEs should be prioritized first?

CVE-2026-47291 (HTTP.sys RCE, CVSS 9.8) and CVE-2026-41091 (Microsoft Defender, active exploitation) should be remediated immediately.

Why is privilege escalation so important this month?

Privilege escalation vulnerabilities enable attackers to move from initial access to full control of enterprise systems, making them critical enablers of modern attacks.

How should enterprises prioritize patching?

Focus on exploitation likelihood, attack chain potential, business exposure, and critical systems such as Active Directory, Exchange, and Remote Desktop.

‍