The June 9, 2026 Patch Tuesday was the largest since Microsoft started the program: 198 CVEs in a single batch, 32 of them rated critical and the remaining 166 important. Nothing landed as moderate or low. If you run fleets of Windows machines, this is the month to book a generous maintenance window.
The breakdown by type puts elevation of privilege out front at 31.8% of the flaws, followed by remote code execution at 27.3%. The rest splits across information disclosure, denial of service, spoofing and security feature bypass. Affected components range from the Windows kernel, Hyper-V, the Remote Desktop Client, HTTP.sys, Kerberos, DHCP and BitLocker to Active Directory, several Azure services, Office, Exchange, Teams and Visual Studio Code, plus more than 60 additional Windows components.
The kernel RCE
The flaw that matters most for exposed machines is CVE-2026-45657, a remote code execution bug in the Windows kernel rated CVSS 9.8. It lets an unauthenticated remote attacker run code at SYSTEM level, the highest privilege on the box. That is the combination nobody wants to see: no credentials, no user interaction and full system control if it succeeds. Any machine that takes traffic from untrusted networks should go to the top of the list.
The three zero-days
Three vulnerabilities shipped with the zero-day label, all rated by Microsoft as “Exploitation More Likely”.
CVE-2026-45586 is an elevation of privilege bug in the Windows Collaborative Translation Framework, CVSS 7.8. It affects the CTFMON process, which handles voice and handwriting recognition, and grants SYSTEM privileges when exploited.
CVE-2026-50507, nicknamed “Bitskrieg”, is a BitLocker security feature bypass rated CVSS 6.8. It needs physical access to the device and was publicly disclosed before a patch existed. There is a second BitLocker bypass this cycle, CVE-2026-45585 (“YellowKey”, CVSS 6.8), with a public proof of concept since May 13. If your laptops leave the office, those are two reasons not to delay the update.
CVE-2026-49160 is a denial of service in HTTP.sys rated CVSS 7.5 and dubbed “HTTP/2 Bomb”. The patch adds a new registry setting, MaxHeadersCount, as an extra mitigation to cap the attack surface.
Remote Desktop and an out-of-band patch
The Remote Desktop Client picks up eleven RCE vulnerabilities (from CVE-2026-42909 through CVE-2026-48563), seven of them critical, with CVSS scores between 7.5 and 8.8. The common pattern is a heap-based buffer overflow that fires when the victim connects to an attacker-controlled server. The practical defense is to avoid RDP servers of dubious origin and to patch the client quickly.
Outside the main cycle, Microsoft had released out-of-band updates. CVE-2026-41091 (“RedSun”, CVSS 7.8) is a Microsoft Defender elevation of privilege flaw already exploited in the wild that was added to CISA’s KEV catalog on May 20, 2026.
What to do
Apply the full cycle as soon as you can and start with what faces the network: any host reachable remotely through the kernel vector (CVE-2026-45657) and internet-facing servers running HTTP.sys. For BitLocker laptops, remember both bypasses need physical access, but the patch is the only fix. And confirm Microsoft Defender is current because of the RedSun zero-day, which is already being exploited.
To compare the scale with earlier months, see our writeup of the March 2026 Patch Tuesday. All details on supported versions are on the Windows page.