June 2026 Patch Tuesday Briefing

Release date: June 9, 2026 · Generated from the MSRC Security Update Guide by patch-tuesday-mcp

The month at a glance

The June 2026 security update spans 1,281 entries in Microsoft’s CVRF document (including Chromium/Edge and open-source components Microsoft redistributes). Of those:

What to patch first

  1. Edge / ChromiumCVE-2026-11645 (V8 out-of-bounds memory access) is the only entry on the CISA KEV catalog this month, meaning exploitation is confirmed in the wild. Browser updates are cheap; ship them today.
  2. The HTTP.sys pair on Windows / Windows ServerCVE-2026-47291 is a CVSS 9.8 Critical unauthenticated RCE in the HTTP protocol stack (EPSS 22%), and its sibling CVE-2026-49160 is a publicly disclosed DoS with an unusually high 48% EPSS score. Anything serving HTTP through http.sys (IIS, WinRM, WSUS, and plenty of third-party services) is in scope. Both are fixed by the June cumulative updates (KB5094122–KB5094128 family).
  3. Windows Kernel RCECVE-2026-45657, CVSS 9.8 Critical with 15% EPSS, fixed in the same cumulatives.
  4. DHCP Client RCECVE-2026-44815, CVSS 9.8 Critical; a malicious DHCP server on any network a laptop joins is the attack scenario.
  5. Active Directory Domain Services RCECVE-2026-45648 (Critical, 8.8) — domain controllers deserve an early maintenance window this month.

The remaining publicly disclosed items — BitLocker bypass CVE-2026-50507, Defender EoP CVE-2026-50656, and CTFMON EoP CVE-2026-45586 — are Important-severity local issues: patch on the normal cycle, but assume proof-of-concept code circulates.

Top 25 by urgency

Ranked KEV/exploited first, then EPSS exploitation probability, severity, and CVSS.

CVE Title Impact Sev CVSS EPSS Why prioritized
CVE-2026-11645 Chromium: V8 out-of-bounds memory access 2% On CISA KEV (due 2026-06-23)
CVE-2026-49160 HTTP.sys Denial of Service DoS Important 7.5 48% Publicly disclosed; highest EPSS
CVE-2026-47291 HTTP.sys Remote Code Execution RCE Critical 9.8 22% Unauthenticated network RCE
CVE-2026-45657 Windows Kernel RCE RCE Critical 9.8 15% Critical kernel RCE
CVE-2026-49975 Apache mod_http2 DoS DoS Important 7.5 11% High EPSS
CVE-2026-42824 M365 Copilot Information Disclosure Info Critical 6.5 8% Critical severity
CVE-2026-42980 NT OS Kernel Elevation of Privilege EoP Important 7.8 6% Kernel EoP
CVE-2026-50507 BitLocker Security Feature Bypass SFB Important 6.8 5% Publicly disclosed
CVE-2026-42055 NGINX proxy_v2/grpc module flaw Important 8.1 3% High CVSS
CVE-2026-50656 Microsoft Defender EoP EoP Important 7.8 3% Publicly disclosed
CVE-2026-45586 CTFMON Elevation of Privilege EoP Important 7.8 3% Publicly disclosed
CVE-2026-45447 PKCS7_verify() heap use-after-free Important 8.8 3% High CVSS
CVE-2026-45591 ASP.NET Core Denial of Service DoS Important 7.5 2% Framework-wide
CVE-2026-42989 Winlogon Elevation of Privilege EoP Important 7.8 2%
CVE-2026-42905 Windows DWM Core Library EoP EoP Important 7.8 2%
CVE-2026-42986 Microsoft Graphics Component EoP EoP Important 7.8 2%
CVE-2026-45484 SharePoint Elevation of Privilege EoP Important 8.8 2% High CVSS
CVE-2026-26142 Nuance PowerScribe RCE RCE Critical 9.8 2% Critical severity
CVE-2026-45454 SharePoint Remote Code Execution RCE Important 6.5 2%
CVE-2026-11526 Perl GD command injection Moderate 4.2 1%
CVE-2026-42835 Teams for Android Info Disclosure Info Important 8.1 1%
CVE-2026-6893 Dracut DHCP options command injection Important 8.8 1%
CVE-2026-45648 Active Directory Domain Services RCE RCE Critical 8.8 1% Domain controllers
CVE-2026-44815 DHCP Client Service RCE RCE Critical 9.8 1% Critical severity
CVE-2026-48573 Secure Boot Security Feature Bypass SFB Important 7.9 1%

Reproduce this briefing

This page is the output of one tool call against the free, keyless MSRC API:

msrc_search(month="2026-Jun", include_stats=True, format="markdown")

Run it from any MCP client via patch-tuesday-mcp (uvx patch-tuesday-mcp), or try the hosted endpoint with no install at all.

Data sources: MSRC CVRF v3 API · FIRST.org EPSS · CISA KEV catalog. EPSS scores are point-in-time as of 2026-07-11.