Microsoft Patch Tuesday Analysis – June 2026

Executive Summary

On Tuesday, June 09, 2026, Microsoft released its monthly security patch, addressing 204 vulnerabilities across its products.

By severity level:

• Critical - 38;
• Important - 166.

Exploited (Zero-Days) and Publicly Disclosed Vulnerabilities

Special attention should be paid to the following 3 vulnerabilities. Fixing them is the highest priority:

• CVE-2026-45586 (CVSS 7.8; Important) - Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability (Elevation of Privilege). An "incorrect link resolution before file access" vulnerability (CWE-59) in the Windows Collaborative Translation Framework (CTFMON). A local authenticated attacker with low privileges can exploit this issue to manipulate CTF service file operations. By creating symbolic links or NTFS junctions in user-controlled directories, an attacker can redirect file write or delete requests from a highly privileged process to protected system resources, allowing privilege escalation in the system to the SYSTEM level.
• CVE-2026-49160 (CVSS 7.5; Important) - HTTP.sys Denial of Service Vulnerability (Denial of Service). An uncontrolled resource consumption vulnerability (CWE-400) in the HTTP/2 (and HTTP/3) support implementation handled by the HTTP.sys driver. A remote unauthenticated attacker can cause a Denial of Service (DoS) condition on the web server by sending specially crafted network requests with an abnormally large number of headers. To address the vulnerability and provide preemptive protection, Microsoft introduced a new security update that includes the MaxHeadersCount registry parameter (detailed in KB5102602) to strictly limit the number of headers in requests.
• CVE-2026-50507 (CVSS 6.8; Important) - Windows BitLocker Security Feature Bypass Vulnerability (Security Feature Bypass). The vulnerability relates to the lack of authentication for a critical function (CWE-306) in the Windows BitLocker protection mechanism. An attacker with physical access to the target device can exploit this flaw to bypass BitLocker Device Encryption and gain unauthorized access to encrypted sensitive data on the system drive.

General Trends

The June 2026 Patch Tuesday will go down in history as one of the largest and heaviest releases in recent years. Microsoft issued patches for 204 vulnerabilities, of which 38 have a "Critical" status. Such a volume of updates indicates a massive security audit of the OS and cloud platform codebases. Key trends for June:

• Record volume and criticality: Crossing the 200-vulnerability mark makes this month an extreme test for patch management processes in any organization. The presence of nearly 40 critical vulnerabilities (mostly RCE) means that attack vectors are broader than ever.
• Threat of public disclosure: Although no active "in the wild" exploitation has been recorded at the time of the patch release, 3 vulnerabilities were disclosed publicly at once. This gives hackers a huge head start. Of particular concern is HTTP.sys (DoS), as public knowledge of attack methods on the built-in Windows web server threatens massive infrastructure outages. The disclosure of the BitLocker bypass endangers data on corporate laptops if they are lost.
• Network perimeter under massive strike: June has been a catastrophic month for network services. Critical RCE vulnerabilities (CVSS 9.8) were patched in DHCP Client and HTTP.sys, along with a scattering of RCEs in Remote Desktop Client (RDP) and RRAS. Vulnerabilities in such foundational protocols carry the risk of "worms" (self-propagating malware) capable of infecting machines without user interaction.
• Cloud platforms on the edge: This month, a vulnerability with the highest possible rating of CVSS 10.0 in Azure HorizonDB was closed, as well as critical RCEs in Azure Kubernetes Service (AKS) and Azure Stack Edge. This confirms that Microsoft's cloud infrastructure is undergoing deep reverse engineering by researchers and malicious actors.
• Unceasing stream of EoP and Office vulnerabilities: Traditionally, over 70 patches close local Elevation of Privilege (EoP) loopholes (the publicly disclosed vulnerability in CTFMON stands out). Concurrently, Microsoft is patching dozens of RCEs in Microsoft Office, Word, and Exchange, maintaining a high threat level from phishing campaigns.

Full List of Vulnerabilities

Below is a table with all the vulnerabilities patched this month.

Retrospective Vulnerability Analysis

• CVE-2026-24294 — Windows SMB Server Elevation of Privilege Vulnerability (Elevation of Privilege). This vulnerability is a logical bypass of the patches for CVE-2025-33073 and allows a local attacker to escalate their privileges to the SYSTEM level. Researcher Guillaume André demonstrated that using a new Windows feature (selecting an arbitrary TCP port for SMB connections) allows forcing a privileged service (e.g., LSASS) to authenticate to a controlled local port. This enables an NTLM reflection attack, forwarding the authentication token back to the system's legitimate SMB server. The vulnerability was patched in March 2026.

• CVE-2026-41089 — Windows Netlogon Remote Code Execution Vulnerability (Remote Code Execution). The vulnerability is a stack-based buffer overflow in the Netlogon service. An unauthenticated attacker can remotely send a specially crafted CLDAP request (UDP port 389) to the domain controller with an excessively long username. Due to incorrect handling of Unicode string sizes in the NetpLogonPutUnicodeString function, an out-of-bounds write occurs in the allocated stack buffer. This leads to the crash of the LSASS process and a forced reboot of the domain controller (Denial of Service), and potentially allows for arbitrary code execution. A PoC is available for this vulnerability. It was patched in May 2026.

• CVE-2026-41096 — Windows DNS Client Remote Code Execution Vulnerability (Remote Code Execution). The vulnerability is a heap-based buffer overflow in the Windows DNS client that occurs when processing malformed DNS responses. The error happens in the dnsapi.dll library (in the DnsRawTruncateMessageForUdp() function) when parsing the structure of an incoming packet received via the DnsQueryRaw() interface. An attacker can cause a crash or execute arbitrary code without authentication by sending a specially crafted response (e.g., containing zero QDCOUNT queries and a large OPT record). A client-side PoC is available to verify the vulnerability, which triggers a process crash if unpatched. It was patched in May 2026.

• CVE-2026-40369 — Windows Kernel Elevation of Privilege Vulnerability (Elevation of Privilege). An "untrusted pointer dereference" vulnerability (CWE-822) in the NtQuerySystemInformation system call (class 253), arising from improper handling of a zero-length buffer. A local attacker can use this flaw to gain an additive 12-byte write primitive in kernel space. With this primitive, it is possible to temporarily disable the Feature_RestrictKernelAddressLeaks mitigation to leak kernel object addresses (KASLR-bypass), and then modify the process token state to escalate privileges to the SYSTEM level. A public PoC is available on GitHub. It was patched in May 2026.

Conclusion

The June 2026 update is an event that requires declaring a state of high alert for IT and InfoSec departments. The massive number of patches, 38 of which are critical, demands the fastest possible deployment, as the window of opportunity for attackers is incredibly wide right now.

Patching priority for June:

1. Neutralize publicly disclosed threats: First and foremost, you must close the vulnerabilities the whole world already knows about. Apply patches to web servers to protect HTTP.sys from Denial of Service attacks (CVE-2026-49160), update workstations to close the CTFMON flaw (CVE-2026-45586), and prevent the BitLocker bypass (CVE-2026-50507).
2. Protect network communications (RCE): Critical vulnerabilities in DHCP Client, HTTP.sys (which also has an RCE this month), RDP Client, and Exchange require immediate response. These components are network-facing, and their exploitation will lead to instant system compromise.
3. Cloud and databases: Owners of hybrid and cloud infrastructures must ensure patches are applied for Azure HorizonDB (CVSS 10.0) and AKS.
4. Endpoints: Given the abundance of RCEs in Microsoft Office, user workstations must be updated in the shortest possible time to prevent breaches via malicious attachments.

Special attention to the retrospective: The Retrospective Vulnerability Analysis section notes the emergence of public and easily accessible exploits (PoCs) for critical May vulnerabilities: Windows Netlogon, Windows DNS Client, and Windows Kernel. If your infrastructure was not updated last month, it is currently absolutely defenseless against automated hacking scripts that are already lying on GitHub. Eliminating the technical debt from May, combined with installing the June patches, is a matter of survival for the corporate network.