Post -Patch Tuesday Roundup: June 2026 | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales
Blog

Post -Patch Tuesday Roundup: June 2026

Softcat’s June 2026 Patch Tuesday summary highlights updates from major vendors including Microsoft, Adobe, Cisco SAP, Ivanti, IBM, Fortinet, checkpoint, Google and Palo Alto as they release patches addressing a wide range of vulnerabilities across their respective platforms.

Post patch tuesday new

Philip Odjidja

Vulnerability Engineer

Microsoft 

Microsoft patched 200 CVEs in its June 2026 Patch Tuesday release, with 33 rated critical, 3 publicly disclosed zero-day vulnerabilities and 166 rated as important. This Patch Tuesday release is the largest release since the Patch Tuesday program began, smashing the previous record of 167 CVEs in the October 2025 Patch Tuesday release.

Zero-day vulnerabilities

Microsoft fixed three publicly disclosed zero-day vulnerabilities. None were reported as actively exploited in the wild at the time of patch release, but all had been publicly disclosed before patches were available

CVE-2026-50507 is a security feature bypass vulnerability in Windows BitLocker that has been assigned a CVSS v3 score of 6.8 and is rated Important. The vulnerability was publicly disclosed before a security update was available and is classified by Microsoft as “Exploitation More Likely” under its Exploitability Index.

According to Microsoft, an attacker with physical access to a vulnerable system could bypass BitLocker Device Encryption and gain access to encrypted data stored on the device.

CVE-2026-45586 is an Elevation of Privilege vulnerability affecting Windows Collaborative Translation Framework (CTFMON), a process that supports voice and handwriting recognition. It was assigned a CVSSv3 score of 7.8 and rated as important. Successful exploitation would grant an attacker SYSTEM privileges and Microsoft have assessed this vulnerability as “Exploitation More Likely.”

CVE-2026-49160 is a denial-of-service (DoS) vulnerability in HTTP.sys that has been assigned a CVSS v3 score of 7.5 and is rated Important. The vulnerability was publicly disclosed before a security update was available and is classified by Microsoft as “Exploitation More Likely” under its Exploitability Index.

According to Microsoft's advisory, the vulnerability affects HTTP/2 and could allow a remote attacker to trigger a denial-of-service condition. To help mitigate the risk, Microsoft introduced a new MaxHeadersCount registry setting that enables administrators to limit the number of headers accepted in HTTP/2 and HTTP/3 requests. The vulnerability, dubbed “HTTP/2 Bomb,” was reported by researchers at Calif, who also published a technical analysis and proof-of-concept demonstrating how the flaw can be used to test affected web servers.

Critical

CVE‑2026‑44815 is a Critical Remote Code Execution (RCE) vulnerability in the Windows DHCP Client. Microsoft assigned this vulnerability a Critical (CVSS 9.8) severity rating due to the potential for unauthenticated remote code execution on affected systems. The flaw exists in how the DHCP Client processes specially crafted DHCP responses. An attacker on the same network segment could send malicious DHCP packets that trigger memory corruption, allowing arbitrary code execution in the context of the DHCP Client service.

CVE-2026-47291 is a critical remote code execution vulnerability in Windows HTTP.sys with a CVSS v3.1 score of 9.8. Microsoft has rated the vulnerability as “Exploitation More Likely.” An unauthenticated attacker could exploit the flaw by sending specially crafted HTTP requests, potentially achieving remote code execution on vulnerable systems.

CVE-2026-26142 is a critical remote code execution vulnerability in Nuance PowerScribe with a CVSS v3.1 score of 9.8. Although Microsoft rates it as “Exploitation Less Likely,” successful exploitation could allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-45657 is a critical Windows kernel vulnerability that allows remote code execution (RCE) via specially crafted network traffic. It is rated 9.8 (Critical) because an attacker does not need authentication or user interaction, and successful exploitation can give full system-level control.

Important

CVE‑2026‑41091 is a High‑severity (CVSS 7.8). An unprivileged attacker could exploit this vulnerability by writing a specially crafted file to a privileged location. Successful exploitation would result in Microsoft Defender writing the file back to the privileged location, gaining privileges as SYSTEM. Microsoft Defender privilege‑escalation vulnerability that is actively exploited in the wild, as confirmed by its inclusion in CISA’s Known Exploited Vulnerabilities catalogue.

CVE-2026-45585 is a security feature bypass vulnerability affecting Windows BitLocker. The flaw has a CVSS v3 score of 6.8 and is rated Important by Microsoft. It has been dubbed YellowKey by the researcher who discovered it, known online as Chaotic Eclipse (also referred to as Nightmare Eclipse).A proof-of-concept (PoC) exploit was publicly released on May 13, leading Microsoft to publish the associated advisory and assign a CVE identifier on May 19, along with recommended mitigation measures.

While successful exploitation requires physical access to the target device, Microsoft has assessed vulnerability as having a higher likelihood of exploitation and classified it as "Exploitation More Likely."

Recent updates from other Vendors

Adobe released security updates for Experience Manager, InDesign, InCopy, Substance 3D Sampler, Dreamweaver, Reader, ColdFusion, and more.

Cisco issued multiple security advisories for numerous products, including a Unified CM flaw with a PoC exploit and an SD-WAN zero-day exploited in attacks. The two most notable advisories were CVE-2026-20230 and CVE-2026-20245

Fortinet has issued security updates addressing multiple vulnerabilities in FortiOS, FortiSandbox, and FortiProxy.

Ivanti released security updates for vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) and Ivanti Sentry, with none exploited in the wild.

SAP released 15 new security notes covering multiple enterprise products, including NetWeaver, S/4HANA, Commerce Cloud, Fiori, and BusinessObjects.

Veeam released security updates for the June 2026 patch cycle.  A critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers.

Check Point released security updates for a Remote Access VPN and Mobile Access flaw that was exploited in Qilin ransomware attacks.

A PAN (Palo Alto Networks) security update is a vendor patch for PAN-OS that fixes vulnerabilities to protect firewalls from attacks and unauthorized access. The two most notable advisories were CVE-2026-0300 and CVE-2026-0257

Google updates  mainly focus on patching actively exploited zero-days and high-severity security flaws across Android and Chrome.

As always, users are strongly advised to install the latest security updates as soon as they become available to ensure your systems remain protected against known vulnerabilities and potential cyber threats. Applying updates promptly helps reduce the risk of exploitation, improves overall system stability, and ensures continued protection against emerging security risks.