Microsoft has rolled out its June 2026 Patch Tuesday update, a significant release that addresses 200 security vulnerabilities across Windows and related products. This month's patch fixes three publicly disclosed zero-day flaws and 33 vulnerabilities rated Critical. Users are advised to manually run Windows Update if automatic updates have not yet installed the patches.
What is in this month's patch
The scale of this update is larger than usual. Below is a breakdown of the vulnerabilities fixed:
- 65 Elevation of Privilege vulnerabilities that allow attackers to gain higher-level access than they should have on a system.
- 55 Remote Code Execution vulnerabilities, the most dangerous category, enabling attackers to run malicious code remotely.
- 30 Information Disclosure vulnerabilities that may expose sensitive data to unauthorized parties.
- 27 Spoofing vulnerabilities that allow attackers to impersonate legitimate systems or users.
- 19 Security Feature Bypass vulnerabilities that let attackers sidestep built-in Windows protections.
- 7 Denial of Service vulnerabilities that may be used to crash or disable systems.
Of the 33 Critical vulnerabilities patched this month, 28 involve remote code execution, meaning an attacker could potentially take control of an unpatched system without physical access. This count does not include additional fixes Microsoft pushed out earlier for services like Microsoft Exchange Online, Microsoft Copilot, M365, and Azure, nor does it include 360 separate vulnerabilities in Microsoft Edge and Chromium addressed by Google this month.
Three zero-days you need to know about
The most urgent reason to update is the three publicly disclosed zero-day vulnerabilities patched this month. A zero-day is a flaw made public before an official fix exists, allowing attackers to exploit it. Microsoft says none of these three are known to have been actively exploited yet, but that can change quickly once details are public.
- Exploiting one of the flaws allows an attacker who already has some access to a system to escalate that access to SYSTEM level.
- The second loophole allows attackers to overwhelm and crash a server without any authentication. The attack comes from outside the network, posing a significant risk for Windows systems running HTTP/2-based services.
- The third issue is related to BitLocker and may affect anyone relying on the software to protect sensitive data on a laptop or portable device. The flaw allows a local attacker with physical access to bypass BitLocker's encryption protections and access the contents of an encrypted drive. Microsoft classifies it as a protection mechanism failure.
