ai-security EN

Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)

Updated Source: isc.sans.edu Feed: isc.sans.edu

Microsoft June 2026 Patch Tuesday

Published
2026-06-09. Last Updated
2026-06-09 17:34:29 UTC

by Johannes Ullrich (Version: 1)

0 comment(s)

Microsoft today released patches for 204 vulnerabilities. 38 of these vulnerabilities are considered critical, and three have been disclosed before today. Six of the vulnerabilities affect Microsoft cloud solutions and do not require any user action. In addition, Microsoft incorporated 360 different vulnerabilities affecting Chromium into its Edge browser.

This is certainly a busier-than-usual patch Tuesday. In particular, the large number of patched Chromium/Edge vulnerabilities underscores the impact of AI tools on vulnerability discovery.

Some noteworthy vulnerabilities:

CVE-2026-49160
This vulnerability was made public a week ago. As implemented, the “HPACK” compression algorithm in HTTP/2 and HTTP/3 can lead to a “compression bomb” that consumes excessive resources. Many HTTP/2 implementations are vulnerable. Microsoft addressed this issue by adding a “MaxHeadersCount” registry setting that limits the amount of allocated resources.
CVE-2026-47291
Affecting the Microsoft web server engine http.sys, just like CVE-2026-49160, this vulnerability is rated critical and allows for remote code execution. The integer overflow requires an oversized request to trigger it. Microsoft recommends restricting the “MaxRequestBytes” to prevent exploitation until the patch can be rolled out.

CVE-2026-45648: A stack-based buffer overflow in Active Directory Domain Services. A successful attack requires authentication, and Microsoft considers exploit development as “unlikely”.

Microsoft fixed three different BitLocker security feature bypass vulnerabilities. One of the vulnerabilities was already publicly known. An “anonymous” researcher is credited with the discovery, but I assume it is one of the “Nightmare Eclipse” vulnerabilities.

Several critical vulnerabilities affect Microsoft Office, Outlook, and Word.

Description
CVEDisclosedExploitedExploitability (old versions)current versionSeverityCVSS Base (AVG)CVSS Temporal (AVG)
.NET SDK Elevation of Privilege Vulnerability
CVE-2026-45490NoNo--Important7.86.8
.NET Tampering Vulnerability
CVE-2026-45491NoNo--Important6.25.4
ASP.NET Core Denial of Service Vulnerability
CVE-2026-45591NoNo--Important7.56.5
Azure HorizonDB Elevation of Privilege Vulnerability (no customer action required)
CVE-2026-48567NoNo--Critical10.08.7
Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability
CVE-2026-32193NoNo--Critical8.87.7
Azure Stack Edge Remote Code Execution Vulnerability
CVE-2026-47643NoNo--Important9.88.5
Azure Stack Edge Spoofing Vulnerability
CVE-2026-41098NoNo--Important8.47.3
Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability (no customer action required)
CVE-2026-47644NoNo--Critical6.55.7
DHCP Client Service Remote Code Execution Vulnerability
CVE-2026-44815NoNo--Critical9.88.5
HTTP.sys Denial of Service Vulnerability
CVE-2026-49160YesNo--Important7.56.5
HTTP.sys Remote Code Execution Vulnerability
CVE-2026-47291NoNo--Critical9.88.5
M365 Copilot Information Disclosure Vulnerability (no customer action required)
CVE-2026-42824NoNo--Critical6.55.7
Microsoft Azure Attestation service and Device Health Attestation Service Spoofing Vulnerability
CVE-2026-45642NoNo--Important3.93.4
Microsoft Azure Network Adapter Elevation of Privilege Vulnerability
CVE-2026-45476NoNo--Critical8.27.1
Microsoft Bing Search Spoofing Vulnerability
CVE-2026-45650NoNo--Important4.33.8
Microsoft Cryptographic Services Elevation of Privilege Vulnerability
CVE-2026-44810NoNo--Critical8.47.3
Microsoft DWM Core Library Elevation of Privilege Vulnerability
CVE-2026-45637NoNo--Important7.86.8
Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability
CVE-2026-45647NoNo--Important5.54.8
Microsoft Dynamics 365 (on-premises) Elevation of Privilege Vulnerability
CVE-2026-40371NoNo--Important8.87.7
Microsoft Excel Information Disclosure Vulnerability
CVE-2026-44822NoNo--Important8.27.1
CVE-2026-45455NoNo--Important3.32.9
Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-45469NoNo--Important7.86.8
CVE-2026-44817NoNo--Important7.86.8
CVE-2026-44818NoNo--Important7.06.1
CVE-2026-44820NoNo--Important7.86.8
CVE-2026-44823NoNo--Important7.86.8
Microsoft Excel Security Feature Bypass Vulnerability
CVE-2026-45459NoNo--Important3.32.9
Microsoft Exchange Online Information Disclosure Vulnerability (no customer action required)
CVE-2026-48579NoNo--Critical9.17.9
Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2026-45504NoNo--Important8.87.7
Microsoft Exchange Server Information Disclosure Vulnerability
CVE-2026-45502NoNo--Important5.04.4
CVE-2026-45503NoNo--Important8.17.1
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2026-45583NoNo--Important7.56.5
Microsoft Exchange Server Spoofing Vulnerability
CVE-2026-45500NoNo--Important6.15.3
CVE-2026-45501NoNo--Important6.55.7
CVE-2026-47631NoNo--Important8.17.1
Microsoft Graph Information Disclosure Vulnerability (no customer action required)
CVE-2026-47655NoNo--Critical6.55.7
Microsoft Graphics Component Elevation of Privilege Vulnerability
CVE-2026-42986NoNo--Important7.86.8
Microsoft Kinect Elevation of Privilege Vulnerability
CVE-2026-41092NoNo--Important7.86.8
Microsoft Live Share Canvas SDK Elevation of Privilege Vulnerability
CVE-2026-45644NoNo--Important8.07.0
Microsoft M365 Copilot Remote Code Execution Vulnerability (no customer action required)
CVE-2026-45497NoNo--Critical7.76.7
Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-47293NoNo--Important7.06.1
Microsoft Office Information Disclosure Vulnerability
CVE-2026-45485NoNo--Important3.32.9
CVE-2026-44821NoNo--Important5.54.8
CVE-2026-45460NoNo--Critical4.74.1
Microsoft Office Project Server Spoofing Vulnerability
CVE-2026-45483NoNo--Important4.64.0
Microsoft Office Remote Code Execution Vulnerability
CVE-2026-45475NoNo--Important7.86.8
CVE-2026-45472NoNo--Critical8.47.3
CVE-2026-45474NoNo--Critical8.47.3
CVE-2026-44819NoNo--Important7.86.8
CVE-2026-44824NoNo--Important7.86.8
CVE-2026-45461NoNo--Critical8.47.3
CVE-2026-45645NoNo--Important7.86.8
CVE-2026-45463NoNo--Critical8.47.3
Microsoft Outlook and Word Remote Code Execution Vulnerability
CVE-2026-45456NoNo--Critical8.47.3
CVE-2026-45458NoNo--Critical8.47.3
CVE-2026-47635NoNo--Critical8.47.3
Microsoft PC Manager Security Feature Bypass Vulnerability
CVE-2026-49161NoNo--Important7.86.8
Microsoft PowerToys Elevation of Privilege Vulnerability
CVE-2026-42902NoNo--Important7.86.8
Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2026-45484NoNo--Important8.87.7
Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2026-45454NoNo--Important6.55.7
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-47298NoNo--Important8.07.0
Microsoft SharePoint Server Spoofing Vulnerability
CVE-2026-45467NoNo--Important4.64.0
CVE-2026-45468NoNo--Important4.64.0
CVE-2026-45479NoNo--Important4.64.0
CVE-2026-45453NoNo--Important5.44.7
CVE-2026-47636NoNo--Important5.44.7
CVE-2026-47637NoNo--Important4.64.0
CVE-2026-47638NoNo--Important4.64.0
CVE-2026-47639NoNo--Important5.44.7
CVE-2026-47641NoNo--Important4.64.0
CVE-2026-33113NoNo--Important5.44.7
CVE-2026-45462NoNo--Important4.64.0
CVE-2026-45464NoNo--Important5.44.7
CVE-2026-45465NoNo--Important5.44.7
CVE-2026-47634NoNo--Important7.36.4
CVE-2026-47640NoNo--Important4.64.0
CVE-2026-45481NoNo--Important7.36.4
CVE-2026-48560NoNo--Important5.44.7
CVE-2026-48562NoNo--Important4.64.0
Microsoft Teams for Android Information Disclosure Vulnerability
CVE-2026-42835NoNo--Important8.17.1
Microsoft UxTheme Library (uxtheme.dll) Denial of Service Vulnerability
CVE-2026-45606NoNo--Important5.54.8
Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability
CVE-2026-45482NoNo--Important8.47.3
Microsoft Word Information Disclosure Vulnerability
CVE-2026-45466NoNo--Important3.32.9
Microsoft Word Remote Code Execution Vulnerability
CVE-2026-45471NoNo--Important7.86.8
CVE-2026-45486NoNo--Important7.86.8
CVE-2026-45643NoNo--Important7.86.8
CVE-2026-45457NoNo--Important7.86.8
NT OS Kernel Elevation of Privilege Vulnerability
CVE-2026-42980NoNo--Important7.86.8
CVE-2026-42916NoNo--Important7.86.8
Nuance PowerScribe Remote Code Execution Vulnerability
CVE-2026-26142NoNo--Critical9.88.5
Office for Android Spoofing Vulnerability
CVE-2026-45649NoNo--Important7.16.2
Remote Desktop Client Remote Code Execution Vulnerability
CVE-2026-47289NoNo--Critical8.87.7
CVE-2026-47653NoNo--Important8.87.7
CVE-2026-47654NoNo--Critical7.56.6
CVE-2026-48563NoNo--Critical7.56.5
CVE-2026-42909NoNo--Important7.56.5
CVE-2026-42913NoNo--Important7.56.5
CVE-2026-42992NoNo--Critical7.56.5
CVE-2026-44799NoNo--Critical7.56.5
CVE-2026-44801NoNo--Critical7.56.5
CVE-2026-42985NoNo--Critical8.87.7
CVE-2026-42993NoNo--Important7.56.5
Secure Boot Security Feature Bypass Vulnerability
CVE-2026-45588NoNo--Important7.96.9
CVE-2026-48568NoNo--Important7.96.9
CVE-2026-48570NoNo--Important7.97.1
CVE-2026-48573NoNo--Important7.96.9
CVE-2026-48575NoNo--Important7.96.9
CVE-2026-48576NoNo--Important7.96.9
CVE-2026-48578NoNo--Important7.96.9
CVE-2026-45654NoNo--Important7.96.9
UEFI Secure Boot Security Feature Bypass Vulnerability
CVE-2026-45656NoNo--Important7.86.8
Visual Studio Code Elevation of Privilege Vulnerability
CVE-2026-40376NoNo--Important7.56.5
CVE-2026-47281NoNo--Important9.68.3
Visual Studio Code Information Disclosure Vulnerability
CVE-2026-47284NoNo--Important6.55.7
Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability
CVE-2026-47292NoNo--Important7.86.8
Visual Studio Code Security Feature Bypass Vulnerability
CVE-2026-48569NoNo--Important7.16.2
Visual Studio Code Tampering Vulnerability
CVE-2026-47287NoNo--Important6.55.7
Windows Active Directory Domain Services Remote Code Execution Vulnerability
CVE-2026-45648NoNo--Critical8.87.7
Windows Administrator Protection Secure Feature Bypass Vulnerability
CVE-2026-42829NoNo--Important7.86.8
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-34335NoNo--Important7.06.1
CVE-2026-45601NoNo--Important7.06.1
CVE-2026-45598NoNo--Important7.06.1
CVE-2026-45596NoNo--Important7.06.1
CVE-2026-45638NoNo--Important7.86.8
CVE-2026-45603NoNo--Important7.06.1
CVE-2026-42911NoNo--Important7.06.1
Windows Application Identity (AppID) Information Disclosure Vulnerability
CVE-2026-45594NoNo--Important5.54.8
Windows BitLocker Security Feature Bypass Vulnerability
CVE-2026-45655NoNo--Important5.34.6
CVE-2026-45658NoNo--Important7.86.8
CVE-2026-50507YesNo--Important6.86.1
Windows Bluetooth Port Driver Elevation of Privilege Vulnerability
CVE-2026-45640NoNo--Important7.06.1
Windows Bluetooth Service Elevation of Privilege Vulnerability
CVE-2026-45605NoNo--Important7.86.8
Windows Boot Manager Security Feature Bypass Vulnerability
CVE-2026-47656NoNo--Important7.96.9
Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability
CVE-2026-45586YesNo--Important7.86.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2026-44809NoNo--Important7.86.8
Windows DHCP Client Information Disclosure Vulnerability
CVE-2026-45634NoNo--Important5.54.8
CVE-2026-45608NoNo--Important6.85.9
Windows DNS Client Elevation of Privilege Vulnerability
CVE-2026-41108NoNo--Important7.06.1
Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2026-42905NoNo--Important7.86.8
CVE-2026-44811NoNo--Important7.86.8
CVE-2026-44808NoNo--Important7.86.8
CVE-2026-44807NoNo--Important7.86.8
CVE-2026-42983NoNo--Important7.86.8
CVE-2026-44802NoNo--Important7.86.8
CVE-2026-44813NoNo--Important7.86.8
CVE-2026-44804NoNo--Important7.86.8
Windows DWM Core Library Information Disclosure Vulnerability
CVE-2026-48566NoNo--Important5.54.8
CVE-2026-44814NoNo--Important5.54.8
Windows Deployment Services (WDS) Remote Code Execution
CVE-2026-42987NoNo--Critical8.17.1
Windows Device Health Attestation (DHA) Elevation of Privilege Vulnerability
CVE-2026-33828NoNo--Critical7.86.8
Windows Dynamic Host Configuration Protocol (DHCP) Tampering Vulnerability
CVE-2026-45602NoNo--Important9.17.9
Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability
CVE-2026-42836NoNo--Important7.06.1
Windows Graphics Component Remote Code Execution Vulnerability
CVE-2026-44803NoNo--Critical7.86.8
CVE-2026-44812NoNo--Critical7.86.8
Windows Hotpatch Monitoring Service Elevation of Privilege Vulnerability
CVE-2026-42910NoNo--Important7.86.8
Windows Hyper-V Information Disclosure Vulnerability
CVE-2026-42972NoNo--Important5.54.8
Windows Hyper-V Remote Code Execution Vulnerability
CVE-2026-45607NoNo--Critical8.47.3
CVE-2026-45641NoNo--Critical8.47.3
CVE-2026-47652NoNo--Critical8.27.1
Windows Internet (wininet.dll) Elevation of Privilege Vulnerability
CVE-2026-45592NoNo--Important7.86.8
Windows Kerberos Denial of Service Vulnerability
CVE-2026-42903NoNo--Important6.55.7
CVE-2026-42914NoNo--Important5.34.6
Windows Kerberos Key Distribution Center (KDC) Remote Code Execution
CVE-2026-47288NoNo--Critical7.16.2
Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-48583NoNo--Important7.86.8
CVE-2026-45653NoNo--Important7.06.1
CVE-2026-42984NoNo--Important7.06.1
Windows Kernel Remote Code Execution Vulnerability
CVE-2026-45657NoNo--Critical9.88.5
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2026-45600NoNo--Important7.86.8
Windows Managed Installer Information Disclosure Vulnerability
CVE-2026-45604NoNo--Important5.54.8
Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2026-45595NoNo--Important5.44.7
Windows Media Remote Code Execution Vulnerability
CVE-2026-48574NoNo--Critical7.86.8
Windows NTFS Remote Code Execution Vulnerability
CVE-2026-45636NoNo--Important7.86.8
Windows NTLM Spoofing Vulnerability
CVE-2026-50508NoNo--Important6.55.7
Windows Narrator Braille Elevation of Privilege Vulnerability
CVE-2026-48565NoNo--Important7.86.8
Windows Network Controller (NC) Host Agent Denial of Service Vulnerability
CVE-2026-44805NoNo--Important5.54.8
Windows Performance Monitor Remote Code Execution Vulnerability
CVE-2026-42981NoNo--Important8.17.1
CVE-2026-42974NoNo--Important8.17.1
Windows Program Compatibility Assistant Service Elevation of Privilege Vulnerability
CVE-2026-45487NoNo--Important7.86.8
Windows Projected File System Elevation of Privilege Vulnerability
CVE-2026-42828NoNo--Important7.86.8
CVE-2026-42837NoNo--Important7.86.8
Windows Push Notification Information Disclosure Vulnerability
CVE-2026-42969NoNo--Important5.54.8
CVE-2026-42971NoNo--Important5.54.8
CVE-2026-42970NoNo--Important5.54.8
CVE-2026-42973NoNo--Important5.54.8
Windows Push Notifications Elevation of Privilege Vulnerability
CVE-2026-42978NoNo--Important7.86.8
CVE-2026-42977NoNo--Important7.86.8
CVE-2026-42979NoNo--Important7.86.8
CVE-2026-42991NoNo--Important7.86.8
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
CVE-2026-45639NoNo--Important7.56.5
CVE-2026-42908NoNo--Important7.56.5
Windows SDK Elevation of Privilege Vulnerability
CVE-2026-45593NoNo--Important7.86.8
Windows Shell Information Disclosure Vulnerability
CVE-2026-42906NoNo--Important5.54.8
CVE-2026-42907NoNo--Important6.55.7
Windows Storage Elevation of Privilege Vulnerability
CVE-2026-47648NoNo--Important7.06.1
Windows TCP/IP Denial of Service Vulnerability
CVE-2026-42915NoNo--Important5.75.0
Windows TCP/IP Elevation of Privilege Vulnerability
CVE-2026-42904NoNo--Important9.68.3
Windows Telephony Server Information Disclosure Vulnerability
CVE-2026-42968NoNo--Important5.54.8
Windows Telephony Service Elevation of Privilege Vulnerability
CVE-2026-42912NoNo--Important7.06.1
Windows UI Automation Manager (uiamanager.dll) Elevation of Privilege Vulnerability
CVE-2026-45597NoNo--Important7.06.1
Windows UPnP Device Host Remote Code Execution Vulnerability
CVE-2026-45599NoNo--Important8.17.1
CVE-2026-45635NoNo--Important8.17.1
Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability
CVE-2026-40409NoNo--Important7.86.8
CVE-2026-40404NoNo--Important7.86.8
Winlogon Elevation of Privilege Vulnerability
CVE-2026-42989NoNo--Important7.86.8

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

Twitter |

Keywords: [microsoft patch tuesday patches](/tag.html?tag=microsoft patch tuesday patches)

0 comment(s)

Click HERE to learn more about classes Johannes is teaching for SANS

Comments

Login here to join the discussion.

Top of page

×

modal content

Diary Archives