Microsoft June 2026 Patch Tuesday Fixes 200 Security Vulnerabilities
Microsoft has released its June 2026 Patch Tuesday updates, addressing 200 security vulnerabilities, including three publicly disclosed zero-day flaws and 33 critical vulnerabilities.
Although none of the zero-days are currently known to have been exploited in active attacks, organisations are strongly encouraged to apply the latest updates as soon as possible to reduce their exposure.
Key Highlights
This month's security updates include:
- 200 vulnerabilities fixed
- 33 Critical vulnerabilities
- 55 Remote Code Execution (RCE) flaws
- 65 Elevation of Privilege vulnerabilities
- 30 Information Disclosure vulnerabilities
- 27 Spoofing vulnerabilities
- 19 Security Feature Bypass vulnerabilities
- 7 Denial of Service vulnerabilities
Remote code execution and privilege escalation vulnerabilities continue to represent some of the highest risks, potentially allowing attackers to execute malicious code or gain elevated permissions on affected systems.
Three Publicly Disclosed Zero-Day Vulnerabilities
Windows CTFMON Privilege Escalation
Microsoft has patched a vulnerability within the Windows Collaborative Translation Framework that could allow an attacker with local access to escalate privileges to SYSTEM level, providing complete control over the affected machine.
HTTP/2 Denial of Service ("HTTP/2 Bomb")
A newly disclosed HTTP/2 denial-of-service vulnerability could enable attackers to consume excessive server memory using specially crafted requests, potentially leading to service disruption or outages.
To help mitigate this risk, Microsoft has introduced a new configuration option allowing administrators to limit the number of accepted HTTP headers.
BitLocker Security Feature Bypass
Microsoft has also resolved a BitLocker bypass vulnerability affecting systems configured with TPM-only protection. An attacker with physical access could potentially access encrypted drives through the Windows Recovery Environment.
Organisations relying solely on TPM protection should review their BitLocker configuration and consider enabling TPM + PIN authentication for additional protection.
What This Means for Organisations
While no active exploitation has been reported for these zero-day vulnerabilities, publicly disclosed flaws often become attractive targets once technical details are available.
Security teams should prioritise:
- Deploying the latest Microsoft security updates
- Reviewing internet-facing Windows servers
- Verifying BitLocker configurations on laptops and servers
- Monitoring for unusual privilege escalation activity
- Testing business-critical systems after patch deployment
Other Major Security Updates
Alongside Microsoft's releases, several major technology vendors also published important security updates this month, including Adobe, Cisco, Fortinet, Google, SAP, Veeam, Ivanti, Check Point and Ubiquiti.
The volume of patches released across the industry highlights the importance of maintaining an effective vulnerability management programme and ensuring critical systems are updated without delay.
CybaVerse Perspective
Patch management remains one of the most effective ways to reduce cyber risk, yet many organisations struggle with visibility across their estate and understanding which vulnerabilities require immediate attention.
Platforms like CybaOps help security teams cut through the noise by providing centralised asset visibility, vulnerability prioritisation and actionable remediation guidance, enabling organisations to move from reactive patching to proactive risk management.
With attackers continuing to exploit newly disclosed vulnerabilities at speed, maintaining a disciplined patching process is essential for reducing the likelihood of compromise.
If you would like to view the full report for June 2026, click here.