Today is the monthly 'Windows Update' day, fixing 3 zero-day vulnerabilities and 200 other vulnerabilities.
The monthly Windows Update, which delivers security updates and bug fixes for Windows, has been released.
June 2026 Security Updates (Monthly)
https://www.microsoft.com/en-us/msrc/blog/2026/06/202606-security-update
Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws
https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-3-zero-day-200-flaws/
Windows 11 KB5094126 & KB5093998 cumulative updates released
https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5094126-and-kb5093998-cumulative-updates-released/
Installing this security update will change the build number of Windows 11 25H2 (KB5094126) to 26200.8457 25H2 and 26100.8457 (24H2), and 23H2 (KB5093998) to 22631.7079. After the update, more PCs will be able to enjoy improved performance and access to Xbox Mode. Xbox Mode allows you to experience the feel of an Xbox console on your PC. In addition, various improvements have been made, such as the implementation of a shared audio feature that allows two people to listen to the same audio simultaneously from one Windows 11 PC, and improved visibility of NPU usage on NPU-equipped PCs in Task Manager.
The vulnerabilities fixed in this update are as follows:
| Target products | maximum severity | The biggest impact | Related support articles or support web pages |
|---|---|---|---|
| Windows 11 v26H1, v25H2, v24H2, v23H2 | emergency | Remote code execution is possible. | v26H1 5095051 v25H2, v24H2 5094126 v23H2 5093998 |
| Windows Server 2025 (including Server Core installations) | emergency | Remote code execution is possible. | 5094125 |
| Windows Server 2022 (including Server Core installations) | emergency | Remote code execution is possible. | 5094128 |
| Windows Server 2019, Windows Server 2016 (including Server Core installations) | emergency | Remote code execution is possible. | Windows Server 2019: 5094123 , Windows Server 2016: 5094122 |
| Remote Desktop client for Windows Desktop | important | Remote code execution is possible. | https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windowsdesktop-whatsnew |
| Microsoft Office | emergency | Remote code execution is possible. | https://learn.microsoft.com/officeupdates |
| Microsoft SharePoint | emergency | Remote code execution is possible. | https://learn.microsoft.com/officeupdates/sharepoint-updates |
| Microsoft Exchange Server | important | Remote code execution is possible. | https://learn.microsoft.com/exchange Exchange Team Blog: Released: June 2026 Exchange Server Security Updates |
| Microsoft .NET | important | Elevation of privileges | https://learn.microsoft.com/dotnet |
| Microsoft Visual Studio | important | Elevation of privileges | https://learn.microsoft.com/visualstudio |
| Microsoft Dynamics 365 | important | Elevation of privileges | https://learn.microsoft.com/dynamics365 |
| Microsoft Azure | emergency | Remote code execution is possible. | https://learn.microsoft.com/azure |
| Microsoft Defender for Endpoint for Mac Microsoft Malware Protection Engine | important | Remote code execution is possible. | Deploy updates for Microsoft Defender for Endpoint on macOS Microsoft Defender Antivirus security intelligence and product updates and support - Microsoft Defender for Endpoint |
This update fixes the following three zero-day vulnerabilities. None of these vulnerabilities have been reported to have been exploited in attacks.
◆CVE-2026-45586 : Windows Collaborative Translation Framework (CTFMON) privilege escalation vulnerability
This was a publicly disclosed vulnerability that allowed an authenticated attacker to locally escalate privileges and obtain SYSTEM privileges.
◆CVE-2026-49160 : HTTP.sys Denial of Service (DoS) Vulnerability
This vulnerability is used in a DoS attack technique called 'HTTP/2 Bomb.' This attack allows attackers to allocate an disproportionately large amount of memory to a server by sending only a small amount of data.
'HTTP/2 Bomb' attack, capable of bringing down web servers in seconds, discovered using OpenAI's Codex - GIGAZINE
To mitigate this attack, Microsoft introduced a new 'MaxHeadersCount' registry setting to limit the number of headers in a request and also published support information on how to use it.
◆CVE-2026-50507 : Vulnerability that bypasses Windows BitLocker security feature
This is a BitLocker bypass vulnerability that allows an attacker to access encrypted drives. Microsoft explains that 'a flaw in the protection mechanism of Windows BitLocker allows an unauthenticated attacker to bypass security features through a physical attack.'
A vulnerability has been discovered that allows access to Microsoft BitLocker-protected drives using only files on a USB drive, without the recovery key - GIGAZINE
This vulnerability primarily affects systems using BitLocker protection with TPM only on Windows 11 and Windows Server 2022/2025. Microsoft previously recommended enabling TPM + PIN authentication instead of relying on TPM-only protection as a temporary mitigation for this issue.
Windows Update is released on the second Tuesday of every month in US time, and the next update is scheduled for Wednesday, July 15, 2026, in Japan time.
- Continued
Microsoft Defender's new zero-day vulnerability, 'RoguePlanet,' can still be exploited even after all Windows Update patches from June 10, 2026, have been applied - GIGAZINE
Related Posts:
