Microsoft and Adobe Patch Tuesday, June 2026 Security Update Review
Table of Contents
- Microsoft Patch Tuesday forJune2026
- Adobe Patch for June 2026
- Zero-dayVulnerabilities Patched in June Patch Tuesday Edition
- Critical Severity Vulnerabilities Patched inJunePatch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- EVALUATE Vendor-Suggested Mitigation with Policy Audit (PA)
- Qualys Monthly Webinar Series
Every Patch Tuesday presents a race between defenders applying fixes and attackers seeking opportunities. Microsoft’s June 2026 release is no exception, delivering security updates for vulnerabilities that could significantly impact enterprise environments if left unaddressed.
Microsoft Patch Tuesday for June 2026
This month’s release addresses 206 vulnerabilities, including 33 critical and 167 important-severity vulnerabilities.
In this month’s updates, Microsoft has addressed three publicly disclosed zero-day vulnerabilities.
There were also a massive 360 Microsoft Edge/Chromium vulnerabilities that were fixed by Google this month, which were excluded from this Patch Tuesday roundup.
Microsoft Patch Tuesday, June edition, includes updates for vulnerabilities in Microsoft Windows DNS, Windows Media, Windows NTFS, Windows Hyper-V, Windows BitLocker, Windows Bluetooth Port Driver, Windows Bluetooth Service, Windows Boot Manager, Microsoft Copilot, Microsoft Exchange Server, and more.
This month’s release includes fixes for several high-severity issues that could potentially enable remote code execution, privilege escalation, or denial-of-service attacks. As always, timely patch deployment is crucial to reduce exposure and ensure systems remain resilient against exploitation attempts.
The June 2026 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 27 | Important: 27 |
| Denial of Service Vulnerability | 7 | Important: 7 |
| Elevation of Privilege Vulnerability | 65 | Critical: 4 Important: 61 |
| Information Disclosure Vulnerability | 30 | Critical: 1 Important: 29 |
| Remote Code Execution Vulnerability | 55 | Critical: 28 Important: 23 |
| Security Feature Bypass Vulnerability | 19 | Important: 19 |
Adobe Patch for June 2026
Adobe has released 11 security advisories to address 123 vulnerabilities in Adobe Experience Manager, Adobe Experience Manager Forms, Adobe InDesign, Adobe InCopy, Adobe Substance 3D Sampler, Content Credentials SDK, Adobe Dreamweaver, Adobe Acrobat Reader, Adobe ColdFusion, Adobe Format Plugins, and Adobe Campaign Classic. 47 of these vulnerabilities are rated critical. Successful exploitation of these vulnerabilities may lead to privilege escalation, Security feature bypass, arbitrary file system read, application denial-of-service, and arbitrary code execution.
Zero-day Vulnerabilities Patched in June Patch Tuesday Edition
CVE-2026-49160: HTTP.sys Denial of Service Vulnerability
Uncontrolled resource consumption in HTTP/2 could allow an unauthenticated attacker to deny service over a network.
CVE-2026-45586: Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability
A link-following vulnerability in the Windows Collaborative Translation Framework could allow an authenticated attacker to elevate privileges locally. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-50507: Windows BitLocker Security Feature Bypass Vulnerability
A protection mechanism failure in Windows BitLocker may allow an unauthenticated attacker to bypass a security feature with a physical attack.
Critical Severity Vulnerabilities Patched in June Patch Tuesday Edition
CVE-2026-45461, CVE-2026-45463, CVE-2026-45472, & CVE-2026-45474: Microsoft Office Remote Code Execution Vulnerability
A heap-based buffer overflow vulnerability in Microsoft Office could allow an unauthenticated attacker to execute code remotely.
CVE-2026-26142: Nuance PowerScribe Remote Code Execution Vulnerability
Deserialization of untrusted data in Nuance PowerScribe may allow an unauthenticated attacker to execute code over a network.
CVE-2025-10263: ARM: CVE-2025-10263 Completion of affected memory accesses might not be guaranteed by completion of a TLBI [kernel]
An attacker could exploit the vulnerability by triggering a specific timing condition during a memory permission change, causing a memory write to be applied using outdated permissions. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-33828: Windows Device Health Attestation (DHA) Elevation of Privilege Vulnerability
Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-45456, CVE-2026-47635, & CVE-2026-45458: Microsoft Outlook and Word Remote Code Execution Vulnerability
A type confusion vulnerability in Microsoft Office may allow an unauthenticated attacker to execute arbitrary code remotely.
CVE-2026-45460: Microsoft Office Information Disclosure Vulnerability
An out-of-bounds read vulnerability in Microsoft Office could allow an unauthenticated attacker to disclose information locally.
CVE-2026-45607, CVE-2026-47652, & CVE-2026-45641: Windows Hyper-V Remote Code Execution Vulnerability
An out-of-bounds read vulnerability in Windows Hyper-V could allow an unauthenticated attacker to execute code remotely.
CVE-2026-45648: Windows Active Directory Domain Services Remote Code Execution Vulnerability
A stack-based buffer overflow vulnerability in Active Directory Domain Services may allow an authenticated attacker to execute code remotely.
CVE-2026-45657: Windows Kernel Remote Code Execution Vulnerability
A use-after-free vulnerability in the Windows Kernel could allow an unauthenticated attacker to execute code remotely.
CVE-2026-47288: Windows Kerberos Key Distribution Center (KDC) Remote Code Execution Vulnerability
An integer overflow vulnerability in Windows Kerberos may allow an authenticated attacker to execute code over an adjacent network.
CVE-2026-47289, CVE-2026-47654, CVE-2026-42992, CVE-2026-44799, CVE-2026-44801, CVE-2026-42985, & CVE-2026-48563: Remote Desktop Client Remote Code Execution Vulnerability
A heap-based buffer overflow vulnerability in Remote Desktop Client may allow an unauthenticated attacker to execute code over a network.
CVE-2026-32193: Azure Kubernetes Service (AKS) Remote Code Execution Vulnerability
A path traversal vulnerability in Microsoft Azure Kubernetes Service may allow an authenticated attacker to execute code locally.
CVE-2026-45476: Microsoft Azure Network Adapter Elevation of Privilege Vulnerability
A use-after-free vulnerability in the Linux MANA Driver allows an authenticated attacker to elevate local privileges.
CVE-2026-48574: Windows Media Remote Code Execution Vulnerability
A heap-based buffer overflow vulnerability in Windows Media may allow an unauthenticated attacker to execute code locally.
CVE-2026-44810: Microsoft Cryptographic Services Elevation of Privilege Vulnerability
An improper authentication vulnerability in Windows Cryptographic Services could allow an unauthorized attacker to elevate privileges locally.
CVE-2026-44815: DHCP Client Service Remote Code Execution Vulnerability
A stack-based buffer overflow vulnerability in Windows DHCP Client could allow an unauthenticated attacker to execute code over a network.
CVE-2026-42987: Windows Deployment Services (WDS) Remote Code Execution Vulnerability
A use-after-free in Windows Deployment Services could allow an unauthenticated attacker to execute code over a network.
CVE-2026-44803 & CVE-2026-44812: Windows Graphics Component Remote Code Execution Vulnerability
An integer overflow vulnerability in Windows Win32K – GRFX could allow an unauthenticated attacker to execute code locally.
CVE-2026-47291: HTTP.sys Remote Code Execution Vulnerability
An integer overflow vulnerability in Windows HTTP.sys may allow an unauthenticated attacker to execute code over a network.
Other Microsoft Vulnerability Highlights
- CVE-2026-45658 is a security feature bypass vulnerability in Windows BitLocker. An attacker may exploit the vulnerability to gain access to encrypted data.
- CVE-2026-47634 and CVE-2026-45481 are spoofing vulnerabilities in Microsoft SharePoint Server. The cross-site scripting vulnerability may allow an authenticated attacker to perform spoofing over a network.
- CVE-2026-42905 is an elevation of privilege vulnerability in Windows DWM Core Library. The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-42980 is an elevation of privilege vulnerability in the NT OS Kernel. An integer underflow vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-42986 is an elevation of privilege vulnerability in the Microsoft Graphics Component. The use-after-free vulnerability may allow an authenticated attacker to gain SYSTEM privileges.
- CVE-2026-42989 is an elevation of privilege vulnerability in the Winlogon. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
- CVE-2026-50508 is a spoofing vulnerability in the Windows NTLM. Successful exploitation of the vulnerability may allow an unauthenticated attacker to perform network spoofing.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Nuance PowerScribe, Microsoft Azure Kubernetes Service, Microsoft Office SharePoint, Microsoft Azure Attestation Service and Device Health Attestation Service, Windows Ancillary Function Driver for WinSock, Microsoft Dynamics 365 (on-premises), Visual Studio Code, Windows Universal Disk Format File System Driver (UDFS), Microsoft Kinect, Azure Stack Edge, M365 Copilot, Windows Projected File System Filter Driver, Windows Administrator Protection, Microsoft Teams for Android, Function Discovery Service (fdwsd.dll), Microsoft PowerToys, Windows Kerberos, Windows TCP/IP, Windows DWM Core Library, Windows Shell, Windows RDP, Remote Desktop Client, Windows Hotpatch Monitoring Service, Windows Telephony Service, Windows NT OS Kernel, Windows Push Notifications, Role: Windows Hyper-V, Windows Performance Monitor, Windows Kernel, Microsoft Graphics Component, Windows Deployment Services, Winlogon, Windows Win32K – GRFX, Windows Network Controller (NC) Host Agent, Windows Common Log File System Driver, Windows Cryptographic Services, Windows DHCP Client, Microsoft Office Excel, Microsoft Office, Microsoft Office Word, Linux MANA Driver, GitHub Copilot and Visual Studio Code, Microsoft Office Project, Windows Program Compatibility Assistant Service, .NET, Windows Collaborative Translation Framework, Windows Secure Boot, ASP.NET Core, Windows Internet (wininet.dll), Windows SDK, Windows Application Identity (AppID) Subsystem, Windows Mark of the Web (MOTW), UI Automation Manager (uiamanager.dll), Universal Plug and Play (upnp.dll), Windows Kernel-Mode Drivers, Windows DHCP Server, Microsoft UxTheme Library (uxtheme.dll), Microsoft Live Share Canvas SDK, Microsoft Defender for Endpoint, Active Directory Domain Services, Office for Android, Microsoft Bing, Windows UEFI, Windows HTTP.sys, Microsoft Office Click-To-Run, Copilot Chat (Microsoft Edge), Windows Storage, Microsoft Graph, Windows Narrator Braille, Azure HorizonDB, Microsoft Exchange Online, HTTP/2, Microsoft PC Manager, and Windows NTLM.
EVALUATE Vendor-Suggested Mitigation with Policy Audit (PA)
With Qualys Policy Audit’s Out-of-the-Box Mitigation or Compensatory Controls, which reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now, these security controls are not recommended by any industry standards, such as CIS or DISA-STIG.
Qualys Policy Audit team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best practice that exists in a default state and could reduce the severity of exploitation of a vulnerability.
A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Audit Control IDs (CIDs) and System Defined Controls (SDC) have been updated to support Microsoft-recommended mitigation(s) for this Patch Tuesday:
CVE-2026-44815: DHCP Client Service Remote Code Execution Vulnerability
This vulnerability has a CVSS:3.1 9.8 / 8.5
Policy Audit Control IDs (CIDs):
- 1264 Status of the ‘Dynamic Host Configuration Protocol (DHCP) Client’ service
The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:
control.id: [1264]
The next Patch Tuesday is scheduled for July 14, and we will provide details and patch analysis then. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches’ webinar.’
Qualys Monthly Webinar Series
The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management, Detection & Response (VMDR), and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month’s high-impact vulnerabilities, including those highlighted in this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.