Microsoft patches a file 206 flaws—and one is already being exploited

Yesterday, on Patch Tuesday for June, Microsoft launched safety updates to deal with 206 vulnerabilities. It is a new file, breaking the earlier file of 175 in October 2025. Along with Home windows and Workplace, each Trade Server and Microsoft’s cloud providers are additionally affected. One of many vulnerabilities is already being exploited within the wild. Microsoft classifies a complete of 38 vulnerabilities as crucial, whereas the rest are all designated as excessive danger.

The subsequent Patch Tuesday is scheduled for July 14th, 2026.

Home windows safety vulnerabilities

A lot of the vulnerabilities—118 this time round—are unfold throughout the varied Home windows variations (10, 11, Server) for which Microsoft nonetheless formally offers safety updates.

Home windows Defender underneath fireplace

The one safety vulnerability on this large replace bundle that’s actively being exploited within the wild is the Elevation of Privilege (EoP) vulnerability CVE-2026-41091 in Microsoft Defender. With it, an attacker can achieve system privileges—and with Microsoft thanking numerous people for reporting this vulnerability, it means that these assaults could also be fairly widespread already.

Microsoft has changed the susceptible Malware Safety Engine through the day by day automated Defender updates. The patched engine has a model variety of at the very least 1.1.26040.8.

To test whether or not your PC already has this engine model in Home windows 11, go to Settings → Privateness & safety → Home windows Safety → [Open Windows Security] → Settings → About. In Home windows 10, begin by going to Settings → Replace & Safety → [Open Windows Security] after which observe the identical steps as for Home windows 11.

Safe Boot vulnerabilities

June is a vital month for Home windows as a result of it’s the month when previous Safe Boot certificates expire, which entails all types of non-trivial replace work. Microsoft can also be addressing 10 safety vulnerabilities within the Safety Characteristic Bypass (SFB) class, which have been found and reported by unbiased researchers. Anybody capable of exploit one among these might load malicious code as quickly because the system begins up, earlier than the suitable safety measures can catch it.

Crucial Home windows vulnerabilities

Among the many 118 vulnerabilities in Home windows mounted this month, 19 are Distant Code Execution (RCE) vulnerabilities labeled as crucial. CVE-2026-47288 within the Home windows kernel is very problematic, as an attacker can remotely execute injected code with system privileges with out authentication.

There’s additionally CVE-2026-47291 within the HTTP service (http.sys), the place an attacker can inject and execute code without having to authenticate. Nonetheless, if a default worth for MaxRequestBytes is about within the Home windows registry, the system is just not susceptible. Microsoft describes the way to obtain this if essential within the safety bulletin for this vulnerability, together with a PowerShell script. The Denial of Service (DoS) vulnerability CVE-2026-49160 in http.sys was already publicly recognized beforehand.

There’s additionally CVE-2026-44815 within the DHCP Shopper service, which runs on all PCs, making it a lovely goal for any attacker. Right here, too, an attacker can inject and execute code with out having to authenticate.

There’s additionally CVE-2026-45585 and CVE-2026-50507, which goal the “YellowKey” and “GreenPlasma” safety flaws in BitLocker, which have been disclosed by infamous safety researcher Nightmare Eclipse. Microsoft patched the previous in Could, however up to date the related bulletin in June.

Microsoft Workplace vulnerabilities

Microsoft has mounted 54 vulnerabilities in its Workplace merchandise, twice as many as in Could. These embody 25 RCE vulnerabilities, 9 of that are labeled as crucial. In these circumstances, the preview pane itself is an assault vector—a consumer doesn’t want to truly open a malicious file in Workplace to allow a profitable assault. The remaining RCE vulnerabilities will be exploited if a consumer opens a malicious file in a susceptible Workplace product.

Microsoft Hyper-V sandbox escapes

Exploitation of the crucial RCE vulnerabilities CVE-2026-45607, CVE-2026-45641, and CVE-2026-47652 might permit malicious code to flee from a visitor system and execute code on the host system.

Microsoft Trade Server MITM assaults

Microsoft has mounted eight vulnerabilities in Trade Server. These embody CVE-2026-45583, an RCE vulnerability that may solely be exploited in a MITM (man-in-the-middle) situation.

Solely the information leak CVE-2026-48579 in Trade On-line is assessed as crucial, and Microsoft has already patched it. An attacker might exploit CVE-2026-48579 by tricking an Trade administrator into opening a malicious hyperlink, which might permit them to execute code inside the administrator’s internet session utilizing the administrator’s privileges.

Microsoft Edge zero-day vulnerability

The newest safety replace to Edge 149.0.4022.62 is dated June ninth and is predicated on Chromium 149.0.7827.103. It additionally addresses 74 Chromium vulnerabilities, which aren’t included within the whole variety of vulnerabilities talked about above, nor are the over 400 Chromium vulnerabilities from the earlier week. A zero-day vulnerability within the Chromium base (CVE-2026-11645) can also be addressed.

Tip: Whether or not you retain your Home windows updated, you want correct antivirus protections if you’d like your PC to stay safe and personal. Try our picks for the very best antivirus software program for Home windows in addition to finest VPN providers to remain forward of safety issues.