• Category: Security
  • Status: confirmed
  • Sources: MSRC June 2026 release notes, KB5094126, BleepingComputer
  • Summary: Microsoft released 206 CVEs on 2026-06-09, the largest Patch Tuesday on record. Six zero-days were included: one exploited in the wild (CVE-2026-41091, Microsoft Defender elevation of privilege, CVSS 7.8, CISA KEV 2026-05-20, patched out-of-band May 19) and five publicly disclosed. The most severe unfixed-in-the-wild flaw is CVE-2026-45657, a use-after-free in the Windows kernel TCP/IP stack (CVSS 9.8) allowing unauthenticated remote code execution at SYSTEM level; Microsoft classified it as wormable. CVE-2026-47291 is a second unauthenticated RCE in HTTP.sys (CVSS 9.8). Publicly disclosed zero-days include CVE-2026-45586 (CTFMON privilege escalation to SYSTEM, named GreenPlasma) and CVE-2026-45585 (BitLocker bypass via USB in Windows Recovery Environment, named YellowKey). Critical Exchange Server RCE CVE-2026-45583 is also included.
  • Why it matters: CVE-2026-45657 is wormable across all Windows 11 and Windows Server 2022/2025 versions; patch immediately via KB5094126 or KB5094125/KB5094128 for affected server versions. Defender auto-updates cover CVE-2026-41091 for most endpoints.

Send feedback on this story