In a fresh development, this is a fresh record, breaking the previous record of 175 in October 2025. In addition to Windows and Office, both Exchange Server and Microsoft’s cloud services are also affected. One of the vulnerabilities is already being exploited in the wild. Microsoft classifies a total of 38 vulnerabilities as critical, while the remainder are all designated as high risk. Yesterday, on Patch Tuesday for June, Microsoft dropped security updates to address 206 vulnerabilities.
Industry observers note that the next Patch Tuesday is scheduled for July 14th, 2026.
According to the latest update, a large number of the vulnerabilities—118 this time around—are spread across the various Windows versions (10, 11, Server) for which Microsoft still officially provides security updates.
Industry observers note that with it, an attacker can gain system privileges—and with Microsoft thanking various individuals for reporting this vulnerability, it suggests that these attacks may be quite widespread already. The only security vulnerability in this massive patch package that’s actively being exploited in the wild is the Elevation of Privilege (EoP) vulnerability CVE-2026-41091 in Microsoft Defender.
Industry observers note that the patched engine has a version number of at least 1.1.26040.8. Microsoft has replaced the vulnerable Malware Protection Engine via the daily automatic Defender updates.
As part of the ongoing story, in Windows 10, start by going to Settings → Revision & Security → [Open Windows Security] and then follow the same steps as for Windows 11. To check whether your PC already has this engine version in Windows 11, go to Settings → Privacy & security → Windows Security → [Open Windows Security] → Settings → About.
In a fresh development, microsoft is also addressing 10 security vulnerabilities in the Security Mechanic Bypass (SFB) category, which were discovered and reported by independent researchers. Anyone able to exploit one of these could load malicious code as soon as the system starts up, before the appropriate security measures can catch it. June is an important month for Windows because it’s the month when old Secure Boot certificates expire, which entails all kinds of non-trivial patch work.
As part of the ongoing story, cVE-2026-47288 in the Windows kernel is especially problematic, as an attacker can remotely execute injected code with system privileges without authentication. Among the 118 vulnerabilities in Windows fixed this month, 19 are Remote Code Execution (RCE) vulnerabilities classified as critical.
As part of the ongoing story, however, if a default value for MaxRequestBytes is set in the Windows registry, the system is not vulnerable. Microsoft describes how to achieve this if necessary in the security bulletin for this vulnerability, including a PowerShell script. The Denial of Service (DoS) vulnerability CVE-2026-49160 in http.sys was already publicly known beforehand. There’s also CVE-2026-47291 in the HTTP service (http.sys), where an attacker can inject and execute code without needing to authenticate.
In a fresh development, here, too, an attacker can inject and execute code without having to authenticate. There’s also CVE-2026-44815 in the DHCP Client service, which runs on all PCs, making it an attractive target for any attacker.
Industry observers note that microsoft patched the former in May, but revised the relevant bulletin in June. There’s also CVE-2026-45585 and CVE-2026-50507, which target the “YellowKey” and “GreenPlasma” security flaws in BitLocker, which were disclosed by notorious security researcher Nightmare Eclipse.
Industry observers note that these include 25 RCE vulnerabilities, nine of which are classified as critical. In these cases, the preview pane itself is an attack vector—a user does not need to actually open a malicious file in Office to enable a successful attack. The remaining RCE vulnerabilities can be exploited if a user opens a malicious file in a vulnerable Office product. Microsoft has fixed 54 vulnerabilities in its Office products, twice as many as in May.
According to the latest update, exploitation of the critical RCE vulnerabilities CVE-2026-45607, CVE-2026-45641, and CVE-2026-47652 could allow malicious code to escape from a guest system and execute code on the host system.
According to the latest update, these include CVE-2026-45583, an RCE vulnerability that can only be exploited in a MITM (man-in-the-middle) scenario. Microsoft has fixed eight vulnerabilities in Exchange Server.
The report highlights that an attacker could exploit CVE-2026-48579 by tricking an Exchange administrator into opening a malicious link, which would allow them to execute code within the administrator’s web session using the administrator’s privileges. Only the data leak CVE-2026-48579 in Exchange Online is classified as critical, and Microsoft has already patched it.
According to the latest update, it also addresses 74 Chromium vulnerabilities, which are not included in the total number of vulnerabilities mentioned above, nor are the over 400 Chromium vulnerabilities from the previous week. A zero-day vulnerability in the Chromium base (CVE-2026-11645) is also addressed. The most recent security patch to Edge 149.0.4022.62 is dated June 9th and is based on Chromium 149.0.7827.103.
The report highlights that check out our picks for the best antivirus programs for Windows as well as best VPN services to stay ahead of security problems. Tip: Whether you keep your Windows up to date, you need proper antivirus protections if you want your PC to remain secure and private.
In a fresh development, this article originally appeared on our sister publication PC-WELT and was translated and localized from German.
In a fresh development, his main topics are IT security (malware, antivirus, security gaps) and Internet technology. Frank Ziemann has been working as a freelance author for sister site PC-WELT since 2005, writing news and test reports.