• Category: Security
  • Status: confirmed
  • Sources: MSRC June 2026 release notes, KB5094126, BleepingComputer
  • Summary: The June 2026 Patch Tuesday update addresses 206 CVEs across Windows, Exchange Server, Office, and other products, the largest monthly release on record. One zero-day (CVE-2026-41091, Defender EoP, CVSS 7.8) was under active exploitation before the formal release; Microsoft patched it out-of-band on 2026-05-19 and CISA added it to KEV on 2026-05-20. Five additional zero-days were publicly disclosed but not observed exploited at release: CVE-2026-45657 (Windows kernel TCP/IP use-after-free, CVSS 9.8, wormable), CVE-2026-47291 (HTTP.sys unauthenticated RCE, CVSS 9.8), CVE-2026-45586 (CTFMON SYSTEM privilege escalation, GreenPlasma), CVE-2026-45585 (BitLocker USB bypass in Windows Recovery Environment, YellowKey), and CVE-2026-45583 (Exchange Server RCE). KB5094126 covers Windows 11 24H2 and 25H2; KB5094125 covers Windows Server 2025; KB5094128 covers Windows Server 2022.
  • Why it matters: CVE-2026-45657 and CVE-2026-47291 are both unauthenticated CVSS 9.8 RCEs; the kernel flaw is wormable. Apply this month's update on all Windows endpoints and servers immediately.

Send feedback on this story