Skip to Main Content
 

Major Digest Home For June, Patch Tuesday means an IT scramble - Major Digest

For June, Patch Tuesday means an IT scramble

For June, Patch Tuesday means an IT scramble
Credit: Computer World

Microsoft this week released 206 updates affecting Windows, Office, Exchange Server, and its developer tools —  including three Windows vulnerabilities already publicly disclosed. That trio includes an elevation of privilege in the Collaborative Translation Framework (CVE-2026-45586), a denial of service in HTTP.sys (CVE-2026-49160), and a BitLocker security feature bypass (CVE-2026-50507). At the moment, none appear to be under active exploitation, but all three are rated “Exploitation More Likely.” 

Even without an exploited zero-day, the June 2026 Patch Tuesday release requires Patch Now recommendations for Windows, Office, and Exchange. The latter is back in the patch picture with a consolidated security update that Microsoft recommends installing “as soon as possible.” 

The Readiness team suggests testing start with domain controllers, Hyper-V hosts, anything self-hosting on HTTP.sys, and Outlook-heavy desktops —  in that order. To help navigate these changes, here’s a useful infographic detailing the risks of deploying the updates to each platform.

(More information about recent Patch Tuesday releases is available here.)

Known issues

This June release note from Microsoft flags known issues with three updates:

  • KB5094128 — BitLocker recovery prompt on first restart (Windows Server 2022). The PCR7 condition we have tracked since April is still live on the platforms that did not receive May’s Boot Manager servicing fix. Devices with BitLocker enabled on the OS drive, the Group Policy “Configure TPM platform validation profile for native UEFI firmware configurations” set with PCR7 included, and System Information reporting Secure Boot State PCR7 Binding as “Not Possible” may prompt for the recovery key on the first restart after installing this update.
  • KB5094127 — Windows 10 21H2/22H2. The release note carries a known-issue flag, too, with Windows 10 in the same boat as Server 2022: it has not received the Boot Manager servicing improvement that closed the BitLocker/PCR7 recovery condition on Windows 11. So, that same Group Policy configuration remains the trigger to check before deployment.
  • KB5094125/KB5094128 — WSUS synchronization error details suppressed (Windows Server 2025 and 2022). WSUS no longer displays synchronization error details in its reporting. This is deliberate: the functionality was “temporarily removed to address the Remote Code Execution Vulnerability, CVE-2025-59287.” Microsoft offered no workaround.

One continuing advisory from May remains in effect: Windows Update can still replace manually installed graphics drivers with older OEM versions from the Windows Update catalogue.

Major revisions and mitigations

Unlike last month, this patch cycle delivered two genuine revisions and a cluster of out-of-band fixes that require action:

  • Microsoft Teams Spoofing (CVE-2026-32185) — revised to version 3.0 on May 21. Microsoft announced the availability of the security update for Teams for Android; customers running affected versions should install it. If your mobile fleet runs Android, this is the action item.
  • Microsoft Defender out-of-band cluster (May 19–21) — a Critical remote code execution flaw (CVE-2026-45584), plus an elevation of privilege (CVE-2026-41091) and a denial of service (CVE-2026-45498).
  • SharePoint RCE (CVE-2026-45659) — a separate out-of-band fix also posted on May 21. SharePoint admins had three distinct security notices in a fortnight. The recommendation: deploy these clustered but separate patches as a single unit.

Interestingly, there were two omissions from last month’s list:

  • SharePoint Server RCE (CVE-2026-47294) — published May 29 with the note that it “was addressed by updates that were released in May 2026, but the CVE was inadvertently omitted from the May 2026 Security Updates.”
  • Windows DWM Core Library Information Disclosure (CVE-2026-48566) — also fixed in May, also left off the May list.

That makes two months running: the Patch Tuesday list is never final. The June release itself also carried a substantive revision:

  • Remote Desktop cluster re-issued for Windows 11 26H1 — five RDP/RDS CVEs from 2024–2025, including two Critical RCEs (CVE-2024-49123, CVE-2024-49132) and the RDP Server RCE (CVE-2024-43582). If you are running 26H1, the June cumulative closes these older CVEs.

Windows lifecycle and enforcement updates

Given the month SharePoint just had, SharePoint 2016/2019 require some of the cycle’s most active patching on a platform with one update left. If migration is not already in progress, July’s final update is the deadline. Here are the other key dates:

  • The 2011 KEK CA expires on June 24, and the UEFI CA for third-party boot loaders follows three days later, with the Windows Production PCA for the boot manager coming up October. 19. Devices that have not taken the Windows UEFI CA 2023 key updates under CVE-2023-24932 lose the ability to receive updated boot components once the certificates lapse. This is a big deal.
  • With just one Patch Tuesday to go, SharePoint Server 2016 and 2019, Project Server 2016 and 2019, SQL Server 2016, and SQL Server 2014 ESU Year 2 all reach end of support on July 14. (InfoPath 2013, SharePoint Designer 2013, and Visual Studio 2022 17.12 LTSC go with them.)
  • Kerberos RC4 hardening (CVE-2026-20833) moves from default-hardening to its enforcement phase next month. Accounts still depending on RC4 service tickets have weeks, not months.
  • The graphics-driver targeting change (four-part to two-part Hardware IDs) pilots to September 2026, with broader enforcement planned for Q4 2026 to Q1 2027; until then, Windows Update can still downgrade manually installed display drivers.

This month’s release is a security-only release with a clear feature focus: the Remote Desktop client. The Remote Desktop ActiveX control (mstscax.dll) is the most patched component this cycle with five separate updates (see below). 

The secondary theme is Windows authentication, with three updates to the NTLM security package. Every Windows binary this month reports no functional changes, so the work is pure regression validation. Lower-risk patches reach DHCP, telephony, Hyper-V, UDF and Projected File System storage, and the graphics stack.

Remote Desktop client

The Remote Desktop client (mstscax.dll) draws a high-risk flag that lands specifically on printer redirection — the path that maps a client’s local printers into a remote session. A regression here typically shows as missing redirected printers, failed print jobs, or a hang on connect or reconnect. The wider Remote Desktop stack is also updated, including RemoteApp and clipboard redirection (rdpclip.exe, RdpCoreTS.dll) and Remote Desktop Licensing (lserver.dll). So, be sure to validate connection, session, and licensing together.

A passing run is a remote session that connects, redirects printers, prints, and survives a reconnect with no crashes or missing devices.

  • Connect with Remote Desktop Connection (mstsc.exe) to a test host, enable printer redirection in Local Resources, and confirm redirected printers appear in the session.
  • Print a test page from an app in the session to a redirected printer; repeat with two or more client printers installed.
  • Disconnect and reconnect the session, then confirm the redirected printers are still present and usable.
  • Repeat the printer test in both a full desktop session and a RemoteApp session.
  • Exercise general remote access: connect through a Remote Desktop Gateway, use VMConnect to reach a VM, and verify clipboard and device redirection.
  • On a Remote Desktop Licensing server, confirm clients connect with licensing enabled, across Per User and Per Device modes.

Windows authentication (NTLM)

Three updates touch the NTLM security support provider (msv1\_0.dll), the module behind network authentication when Kerberos is not used. Authentication changes are regression-sensitive: the failure modes are logon failures, broken file-share or RDP access, and application sign-in problems. Validate across domain-joined and workgroup machines.

  • Sign in to domain-joined and standalone machines with domain, local, and cached credentials after a reboot.
  • Access SMB file shares by host name and IP, including paths that fall back to NTLM, and confirm authenticated reads and writes.
  • Authenticate to a Remote Desktop host and to line-of-business applications that rely on integrated Windows authentication.
  • Watch the Security event log for new logon-failure or audit anomalies during the test window.

Other Windows components

The remaining updates carry no functional changes, so cover them with routine regression by area.

  • Networking: exercise DHCP lease, renewal, and release on IPv4 and IPv6 (dhcpcore), sustained socket traffic over the WinSock driver (afd.sys, two updates), HTTP.sys request handling under IIS, and TAPI telephony integrations (tapisrv.dll).
  • Virtualization: boot Generation 1 and Generation 2 VMs, including nested virtualization, to cover the Hyper-V hypervisor (hvix64/hvax64), and connect a VM through an external virtual switch (toggling NIC RSS) to cover vmswitch.sys.
  • Storage and filesystems: read and write UDF-formatted media (udfs.sys), exercise the Projected File System minifilter (prjflt.sys), and validate cloud files hydration and Work Folders sync (cldflt.sys, workfolders.exe), including a ReFS volume with BitLocker enabled.
  • Graphics and shell: run GPU-accelerated and 2D rendering workloads to cover Direct2D (d2d1.dll), GDI+ (gdiplus.dll), the Desktop Window Manager (dwmcore.dll), the Windows Imaging Component (windowscodecs.dll), and UI Automation (UiaManager.dll); watch for artifacts and accessibility regressions.
  • Notifications and input: open apps that raise toast and push notifications (wpnapps.dll, wpncore.dll) and verify Text Services Framework input across keyboard layouts and IMEs (msctf.dll).

Microsoft Office & SharePoint

June’s Office updates are MSI editions only: Excel 2016 (KB5002877), Word 2016 (KB5002879), Office 2016 shared components (KB5002878, KB5002852, and the rich-edit control KB5002578), and Office Online Server 2019 (KB5002875). The shared Office 2016 component updates also apply to the SharePoint Server 2016, 2019, and Subscription Edition baselines. No Critical non-security client release ships this cycle, and Click-to-Run estates are unaffected.

  • Open complex Excel workbooks with formulas, macros, and external data connections; save and reopen to verify integrity.
  • Edit Word documents with embedded objects, tracked changes, and rich formatting that exercises the rich-edit control.
  • On the SharePoint Server baselines (2016, 2019, Subscription Edition) and Office Online Server, validate document library operations, co-authoring, and browser-based viewing and editing.
  • Confirm that Office add-ins and line-of-business integrations continue to operate.

Developer tools and databases

June’s fixes update the .NET SDK across the 8.0, 9.0, and 10.0 servicing lines (8.0.422, 9.0.315, 10.0.301), and ships SQL Server GDR security updates spanning SQL Server 2016 SP3 through SQL Server 2025, in both RTM+GDR and cumulative-update+GDR branches.

  • After installing the .NET SDK update, build and run representative applications and confirm existing projects compile and execute normally.
  • For SQL Server, install the GDR update onto the matching baseline or cumulative-update branch, then restart the service and run standard transactions.
  • Verify a backup and restore, confirm Always On availability groups stay healthy, and test patch install and removal on each servicing branch.

The Readiness team suggests that this month’s testing lead with Remote Desktop. The client is both the most-patched component and the sole High Risk item, so give it a focused regression pass centered on printer redirection, then broaden to general connectivity, RemoteApp, clipboard and device redirection, gateway access, and licensing. 

The NTLM authentication updates are the second priority: validate domain and standalone logon, file-share access, and application sign-in. Everything else is a no-functional-change security update, so cover networking, Hyper-V, storage, and graphics with routine regression. Office is MSI-only, with Click-to-Run untouched, and the .NET and SQL Server updates round out the developer and database estate.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

Browsers

Microsoft Edge released the stable version (149.0.4022.52) on June 4, per the Edge security release notes. Nothing ships for Internet Explorer, which remains retired. This cycle is unusually lopsided: just one Edge-engineered CVE against a very large Chromium upstream flow:

  • CVE-2026-47644 — Copilot Chat (Microsoft Edge) — Information disclosure (CVSS 6.5, rated critical). For the second month running, Copilot Chat in Edge supplies the headline browser issue (May’s was CVE-2026-33111); Microsoft addresses the Copilot service component, with the browser update completing the fix.
  • Chromium upstream — 407 CVEs relayed through MSRC this cycle, spanning the weekly Chrome release cadence since the May report: use-after-free, out-of-bounds read/write, type confusion, and policy bypass across V8, Blink, PDFium, WebRTC, ANGLE, and DevTools. The same fixes ship in the Chrome Stable channel; see the Chrome release blog for the upstream notes.

The Chromium volume looks alarming but is routine plumbing —  it flows to Edge through its own auto-update channel. Add these updates to your standard release schedule for Edge-managed environments.

Windows

Microsoft addressed 119 vulnerabilities in Windows this month, 22 rated critical and 97, important —  nearly double May’s count. Elevation of privilege again dominates by volume (49 entries), followed by remote code execution (28), information disclosure (16), security feature bypass (15), denial of service (6), and a handful of spoofing and tampering entries. All three of June’s publicly disclosed zero-days land here:

  • CVE-2026-45586 — Collaborative Translation Framework (CTFMON) — Elevation of privilege (CVSS 7.8, publicly disclosed).
  • CVE-2026-49160 — HTTP.sys — Denial of service (CVSS 7.5, publicly disclosed).
  • CVE-2026-50507 — BitLocker — Security feature bypass (CVSS 6.8, publicly disclosed) —  BitLocker’s third entry this month, keeping it on the radar alongside the PCR7 known issue.

At the feature level, the critical risks are concentrated in nine areas:

  • Remote Desktop Client — the largest single cluster: 11 CVEs, 7 rated critical, led by CVE-2026-47289 and CVE-2026-42985 (both CVSS 8.8, the latter “Exploitation More Likely”).
  • Windows Kernel — CVE-2026-45657, remote code execution at CVSS 9.8, the joint-highest Windows score this cycle.
  • HTTP.sys — CVE-2026-47291, unauthenticated remote code execution (CVSS 9.8, “Exploitation More Likely”) in the kernel-mode web server underpinning IIS, WinRM, and anything self-hosting on http.sys — paired with the disclosed DoS above.
  • DHCP Client — CVE-2026-44815, remote code execution at CVSS 9.8.
  • Active Directory Domain Services — CVE-2026-45648, remote code execution (CVSS 8.8) on the directory itself, with the Kerberos KDC adding a separate critical RCE (CVE-2026-47288).
  • Hyper-V — three critical RCEs (CVE-2026-45607, CVE-2026-45641, CVE-2026-47652, up to CVSS 8.4) — guest-to-host risk on virtualization hosts.
  • Windows Graphics Component — two critical RCEs (CVE-2026-44803, CVE-2026-44812, CVSS 7.8), both “Exploitation More Likely” vulnerabilities reachable through Office rendering paths.
  • Windows Deployment Services — CVE-2026-42987, remote code execution (CVSS 8.1).
  • Cryptographic Services and Device Health Attestation — critical elevation-of-privilege entries (CVE-2026-44810, CVSS 8.4; CVE-2026-33828, CVSS 7.8) in trust-anchor components.

Given the publicly disclosed vulnerabilities this month, add this Windows update to your Patch Now schedule.

Office

Microsoft released 53 Office CVEs this month — 10 critical, 43 important. Remote code execution again leads (24 entries), but the surprise is spoofing at 20 entries, almost all of it SharePoint. (SharePoint Server appears in 30 of the 53 CVEs this cycle.) The rest split across information disclosure (6), elevation of privilege (2), and a security feature bypass.

  • Microsoft has addressed seven critical remote code execution entries, each CVSS 8.4, each with the Preview Pane confirmed as an attack vector: CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635 against Outlook and Word, plus CVE-2026-45461, CVE-2026-45463, CVE-2026-45472, and CVE-2026-45474 against Office broadly.

Add these Office updates to your Patch Now deployment, prioritizing Outlook-heavy desktops and SharePoint farms.

Microsoft Exchange and SQL Server

The pattern inverts from May: SQL Server receives nothing (no patches at all), while Exchange Server — absent in May — returns with a consolidated security update carrying seven CVEs for on-premises builds (Exchange Server 2016 CU23 and Exchange Server 2019), plus one cloud-side critical:

  • CVE-2026-45504 — Exchange Server — Elevation of privilege (CVSS 8.8). The headline on-premises entry.
  • CVE-2026-45503 and CVE-2026-47631 — Exchange Server — Information disclosure and spoofing, each CVSS 8.1.
  • CVE-2026-45583 — Exchange Server — Remote code execution (CVSS 7.5), with three further spoofing/information-disclosure entries (CVE-2026-45500, CVE-2026-45501, CVE-2026-45502) rounding out the set.
  • CVE-2026-48579 — Exchange Online — Information disclosure (CVSS 9.1, rated critical) —  addressed service-side, no customer action.

Microsoft also revised the May Exchange spoofing entry (CVE-2026-42897) to point at this same June security update, with the recommendation to install “as soon as possible.” Add the June Exchange SU to your Patch Now schedule.

Developer tools

Microsoft released 10 CVEs across its developer tooling this month, all rated important —  though the top score outranks most of this cycle’s criticals, and the concentration in Visual Studio Code (seven of 10 entries) continues last month’s pattern:

  • Visual Studio Code — seven entries led by CVE-2026-47281, an elevation of privilege at CVSS 9.6 —  the highest developer-tools score in months. Behind it: CVE-2026-45482, a security feature bypass in the GitHub Copilot Chat extension (CVSS 8.4); CVE-2026-47292, remote code execution in the MSSQL extension (CVSS 7.8); a second elevation of privilege (CVE-2026-40376, CVSS 7.5); and security-feature-bypass, tampering, and information-disclosure entries (CVE-2026-48569, CVE-2026-47287, CVE-2026-47284).
  • Microsoft .NET on Windows has three entries: CVE-2026-45490, a .NET SDK elevation of privilege (CVSS 7.8) across .NET 8.0, 9.0, and 10.0; CVE-2026-45591, an ASP.NET Core denial of service (CVSS 7.5); and CVE-2026-45491, a .NET tampering issue (CVSS 6.2).

Add these Microsoft updates to your standard developer update release plan.

Adobe (and third-party updates)

Adobe released APSB26-63 for Acrobat and Reader this cycle, fixing critical code-execution flaws; Adobe reports no exploitation in the wild. Add it to your standard third-party schedule. This is a big (fat) Windows update this month (and yes, I think that AI has something to do with the number of these patches). 

Good luck with your deployments.

Sources:
Published: