June 2026 Patch Tuesday Briefing
Release date: June 9, 2026 · Generated from the MSRC Security Update Guide by patch-tuesday-mcp
The month at a glance
The June 2026 security update spans 1,281 entries in Microsoft’s CVRF document (including Chromium/Edge and open-source components Microsoft redistributes). Of those:
- 89 Critical and 292 Important severity
- 4 publicly disclosed before the release (zero-days by disclosure, none observed exploited)
- 1 on the CISA KEV catalog: the Chromium V8 out-of-bounds flaw CVE-2026-11645, federal remediation due June 23, 2026 — update Edge/Chrome first if you do nothing else
- Impact mix: Elevation of Privilege (74) leads, followed by Remote Code Execution (56) and Information Disclosure (33)
What to patch first
- Edge / Chromium — CVE-2026-11645 (V8 out-of-bounds memory access) is the only entry on the CISA KEV catalog this month, meaning exploitation is confirmed in the wild. Browser updates are cheap; ship them today.
- The HTTP.sys pair on Windows / Windows Server — CVE-2026-47291 is a CVSS 9.8 Critical unauthenticated RCE in the HTTP protocol stack (EPSS 22%), and its sibling CVE-2026-49160 is a publicly disclosed DoS with an unusually high 48% EPSS score. Anything serving HTTP through http.sys (IIS, WinRM, WSUS, and plenty of third-party services) is in scope. Both are fixed by the June cumulative updates (KB5094122–KB5094128 family).
- Windows Kernel RCE — CVE-2026-45657, CVSS 9.8 Critical with 15% EPSS, fixed in the same cumulatives.
- DHCP Client RCE — CVE-2026-44815, CVSS 9.8 Critical; a malicious DHCP server on any network a laptop joins is the attack scenario.
- Active Directory Domain Services RCE — CVE-2026-45648 (Critical, 8.8) — domain controllers deserve an early maintenance window this month.
The remaining publicly disclosed items — BitLocker bypass CVE-2026-50507, Defender EoP CVE-2026-50656, and CTFMON EoP CVE-2026-45586 — are Important-severity local issues: patch on the normal cycle, but assume proof-of-concept code circulates.
Top 25 by urgency
Ranked KEV/exploited first, then EPSS exploitation probability, severity, and CVSS.
| CVE | Title | Impact | Sev | CVSS | EPSS | Why prioritized |
|---|---|---|---|---|---|---|
| CVE-2026-11645 | Chromium: V8 out-of-bounds memory access | — | — | — | 2% | On CISA KEV (due 2026-06-23) |
| CVE-2026-49160 | HTTP.sys Denial of Service | DoS | Important | 7.5 | 48% | Publicly disclosed; highest EPSS |
| CVE-2026-47291 | HTTP.sys Remote Code Execution | RCE | Critical | 9.8 | 22% | Unauthenticated network RCE |
| CVE-2026-45657 | Windows Kernel RCE | RCE | Critical | 9.8 | 15% | Critical kernel RCE |
| CVE-2026-49975 | Apache mod_http2 DoS | DoS | Important | 7.5 | 11% | High EPSS |
| CVE-2026-42824 | M365 Copilot Information Disclosure | Info | Critical | 6.5 | 8% | Critical severity |
| CVE-2026-42980 | NT OS Kernel Elevation of Privilege | EoP | Important | 7.8 | 6% | Kernel EoP |
| CVE-2026-50507 | BitLocker Security Feature Bypass | SFB | Important | 6.8 | 5% | Publicly disclosed |
| CVE-2026-42055 | NGINX proxy_v2/grpc module flaw | — | Important | 8.1 | 3% | High CVSS |
| CVE-2026-50656 | Microsoft Defender EoP | EoP | Important | 7.8 | 3% | Publicly disclosed |
| CVE-2026-45586 | CTFMON Elevation of Privilege | EoP | Important | 7.8 | 3% | Publicly disclosed |
| CVE-2026-45447 | PKCS7_verify() heap use-after-free | — | Important | 8.8 | 3% | High CVSS |
| CVE-2026-45591 | ASP.NET Core Denial of Service | DoS | Important | 7.5 | 2% | Framework-wide |
| CVE-2026-42989 | Winlogon Elevation of Privilege | EoP | Important | 7.8 | 2% | — |
| CVE-2026-42905 | Windows DWM Core Library EoP | EoP | Important | 7.8 | 2% | — |
| CVE-2026-42986 | Microsoft Graphics Component EoP | EoP | Important | 7.8 | 2% | — |
| CVE-2026-45484 | SharePoint Elevation of Privilege | EoP | Important | 8.8 | 2% | High CVSS |
| CVE-2026-26142 | Nuance PowerScribe RCE | RCE | Critical | 9.8 | 2% | Critical severity |
| CVE-2026-45454 | SharePoint Remote Code Execution | RCE | Important | 6.5 | 2% | — |
| CVE-2026-11526 | Perl GD command injection | — | Moderate | 4.2 | 1% | — |
| CVE-2026-42835 | Teams for Android Info Disclosure | Info | Important | 8.1 | 1% | — |
| CVE-2026-6893 | Dracut DHCP options command injection | — | Important | 8.8 | 1% | — |
| CVE-2026-45648 | Active Directory Domain Services RCE | RCE | Critical | 8.8 | 1% | Domain controllers |
| CVE-2026-44815 | DHCP Client Service RCE | RCE | Critical | 9.8 | 1% | Critical severity |
| CVE-2026-48573 | Secure Boot Security Feature Bypass | SFB | Important | 7.9 | 1% | — |
Reproduce this briefing
This page is the output of one tool call against the free, keyless MSRC API:
msrc_search(month="2026-Jun", include_stats=True, format="markdown")
Run it from any MCP client via patch-tuesday-mcp
(uvx patch-tuesday-mcp), or try the hosted endpoint
with no install at all.
Data sources: MSRC CVRF v3 API · FIRST.org EPSS · CISA KEV catalog. EPSS scores are point-in-time as of 2026-07-11.