Microsoft’s June 2026 Patch Tuesday is the largest release since the Patch Tuesday program began, surpassing the previous record of 167 CVEs set in October 2025. This month’s release addresses 206 vulnerabilities, including 33 critical and 167 important-severity vulnerabilities. Microsoft has also addressed three publicly disclosed zero-day vulnerabilities.
The Nightmare Eclipse Arc — A Researcher’s War with Microsoft
The single most defining storyline of this Patch Tuesday is not any one CVE — it’s the sustained zero-day campaign by a researcher known as Nightmare Eclipse (also Chaotic Eclipse). CVE-2026-41091 is the RedSun zero-day disclosed by Nightmare Eclipse on April 15, 2026. The same researcher has also published GreenPlasma, MiniPlasma, BlueHammer (CVE-2026-33825), and collaborated on Bitskrieg (CVE-2026-50507). This cycle patches multiple entries from that series in a single release — an unusual concentration of researcher-originated zero-days that reflects a breakdown in the bug bounty relationship between this researcher and Microsoft.
CVE-2026-41091 — Microsoft Defender EoP (RedSun) | CVSS 7.8 | Actively Exploited
This is the most operationally urgent CVE in the entire June release. An unprivileged attacker writes a specially crafted file to a privileged location. Microsoft Defender’s Malware Protection Engine then writes the file back to that privileged location during its scan cycle, elevating the attacker’s effective permissions to SYSTEM. This is a classic link-following (improper link resolution before file access) flaw turned into a privilege escalation weaponized through Defender’s own file handling behaviour.
Microsoft credited multiple different parties with discovering CVE-2026-41091, which indicates multiple independent researchers observed this in active exploitation — a signal that exploitation is likely significant and widespread, not isolated.
A companion Defender vulnerability CVE-2026-45498 (CVSS 4.0), which can force a denial-of-service condition disabling Defender entirely, is also being exploited in the wild. Both have been added to the CISA KEV catalog. Both were fixed in Microsoft Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. For endpoints where Defender auto-updates are blocked or isolated environments are in use, manual update verification is required immediately.
Zero-Days — Deeper Technical Context
CVE-2026-45586 — CTFMON EoP (GreenPlasma)
This is a link-following vulnerability in the Windows Collaborative Translation Framework allowing an authorized attacker to elevate locally to SYSTEM. GreenPlasma was originally disclosed by Nightmare Eclipse and enables a shell with SYSTEM permissions via symlink abuse in the CTFMON subsystem. CTFMON is the Windows component that manages text input services, language bars, and IME — it runs in the background on virtually every Windows desktop, making the attack surface broad.
CVE-2026-49160 — HTTP.sys DoS (HTTP/2 Bomb)
The HTTP/2 Bomb abuses the header compression and flow-control mechanism built into HTTP/2. An attacker sends a tiny, highly compressed payload that forces the server to allocate disproportionately large amounts of memory to decompress headers. By simultaneously manipulating HTTP/2 flow-control settings, the attacker prevents the server from freeing memory, causing sustained memory exhaustion and potential service outage. Microsoft has introduced a new MaxHeadersCount registry setting as a mitigation control alongside the patch. Organisations running IIS or any Windows-hosted HTTP/2 server should validate the registry setting is configured even after patching, as it adds a defence-in-depth layer.
CVE-2026-50507 — BitLocker Bypass (Bitskrieg)
A protection mechanism failure in BitLocker requiring physical access. An attacker can bypass full-disk encryption without a valid recovery key. The attack is particularly dangerous in lost-device or insider threat scenarios where BitLocker is treated as the terminal control — once bypassed, all encrypted data is accessible. The name Bitskrieg, shared between community reporting and Nightmare Eclipse’s disclosure history, signals this was a coordinated PoC release.
Critical RCE — Component-by-Component
Remote Desktop Client — 11 CVEs, 7 Critical
CVE-2026-42985, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289, and CVE-2026-48563 are critical RCE vulnerabilities due to heap-based buffer overflows in the Windows Remote Desktop Client. Successful exploitation requires an attacker to control a malicious Remote Desktop Server and wait for a victim to connect to it — a classic malicious-server RDP trap. The attacker does not need to initiate the connection; the victim’s client connecting to the attacker’s server is sufficient to trigger the overflow and achieve code execution on the connecting machine. CVE-2026-42985 is explicitly flagged as exploitation “more likely” by Microsoft.
Windows Hyper-V — VM Guest Escape, 3 Critical
CVE-2026-45607, CVE-2026-45641, and CVE-2026-47652 are critical RCEs in Windows Hyper-V arising from out-of-bounds reads. An authenticated attacker operating within a guest VM sends specially crafted file operation requests targeting hardware resources within the VM, which triggers code execution on the host server — a full guest-to-host escape. This class of vulnerability is consistently high-value for threat actors targeting cloud providers and enterprise hypervisor infrastructure where VM isolation is a foundational security assumption.
Windows Kernel — CVE-2026-45657 (CVSS 9.8)
This use-after-free in the Windows Kernel allows a remote, unauthenticated attacker to execute code at SYSTEM level without any user interaction. Exploitation is triggered by sending specially crafted network traffic that triggers a flaw in how the Windows kernel processes certain TCP/IP data. A CVSS 9.8 kernel flaw requiring no authentication and no user interaction is the definition of a wormable candidate. Prioritise accordingly.
HTTP.sys RCE — CVE-2026-47291 (CVSS 9.8)
An integer overflow or wraparound in the Windows HTTP Protocol Stack (http.sys) allows an unauthenticated attacker to exploit it by sending a specially crafted packet to a targeted server using the HTTP Protocol Stack to process packets. Systems using the default MaxRequestBytes registry value are not affected. Microsoft flags this as “Exploitation More Likely” and the bulletin includes both manual instructions and a PowerShell script for interim mitigation. Any internet-facing Windows IIS server not protected by the default registry value is at critical risk.
DHCP Client — CVE-2026-44815 (CVSS 9.8)
A stack-based buffer overflow in the Windows DHCP Client allows an authenticated attacker to execute code over a network by sending specially crafted network traffic to a server configured for use as a DHCP server. DHCP servers in enterprise environments are typically trusted infrastructure — exploitation here can translate to persistent lateral movement across network segments.
Windows Graphics — CVE-2026-44803 & CVE-2026-44812
Both are critical RCEs in the Windows Win32K GRFX graphics subsystem due to integer overflow or wraparound, allowing an unauthorized attacker to execute malicious code locally. Graphics component vulnerabilities have historically been weaponised via malicious documents and web content rendering.
Windows Active Directory Domain Services — CVE-2026-45648
A critical RCE in Active Directory Domain Services due to a stack-based buffer overflow. An authorized attacker who exploits this vulnerability can execute malicious code over a network. AD RCEs are Tier 0 risks — every identity and access control decision in the enterprise flows through AD, making any foothold on a domain controller catastrophic.
Windows Deployment Services — CVE-2026-42987
A use-after-free flaw in Windows Deployment Services allows an unauthorized attacker to execute malicious code over a network. WDS is frequently overlooked in vulnerability prioritisation despite being used to provision OS images across enterprise networks — compromise here means attacker reach into every freshly imaged endpoint.
Microsoft Outlook/Word Preview Pane — Type Confusion RCE
CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635 are critical RCEs caused by type confusion in Microsoft Office. The attack vector is the Outlook Classic preview pane — email rendering in Outlook Classic uses Microsoft Word functionality, and the vulnerability exists in that rendering pipeline. A victim merely previewing a malicious email without opening it is sufficient for exploitation. Zero-click in the preview pane is among the most impactful delivery vectors possible in enterprise environments.
Windows Media — CVE-2026-48574
A critical heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute malicious code locally. Typically exploitable via malicious media file delivery through email or web.
Cloud & AI Infrastructure — Emerging Attack Surface
Azure Kubernetes Service — CVE-2026-32193 (Container Escape)
A path traversal vulnerability in AKS allows an attacker running an untrusted container configured with host network access to send specially crafted requests to a host-level service not intended for unauthenticated access, breaking out of the container and gaining control of the AKS worker node. In Kubernetes environments, node compromise typically means access to all pod secrets, service account tokens, and cloud metadata endpoints on that node — an effective blast radius far exceeding the initial container.
Azure Network Adapter — CVE-2026-45476 (Linux MANA Driver EoP)
A use-after-free in the Linux MANA Driver gives an attacker who has control of the host environment the ability to trigger a memory mishandling flaw in the guest driver, reading sensitive information from the guest and potentially using that access to gain higher privileges within the guest system. Remediation requires updating the Linux kernel to a version incorporating the upstream fix. Organisations using custom kernels or older kernel branches may need to manually backport the patch.
M365 Copilot — CVE-2026-42824 (Command Injection)
A command injection vulnerability in M365 Copilot due to improper neutralization of special elements used in a command, allowing an unauthorized attacker to execute code over a network.This is a server-side injection in the AI assistant layer — a class of vulnerability that was largely theoretical two years ago and is now appearing in production Patch Tuesday advisories.
Copilot Chat / Microsoft Edge — CVE-2026-47644 (Injection / Information Disclosure)
An injection vulnerability in Copilot Chat for Microsoft Edge allows an unauthorized attacker to disclose information over a network. The flaw is specific to the Copilot Chat integration within Microsoft Edge on Windows. In regulated industries like healthcare or law, information disclosure through an AI-integrated browser component carries material compliance exposure.
Microsoft Graph — CVE-2026-47655 (Information Disclosure)
A critical information disclosure vulnerability in Microsoft Graph allows an authorized attacker to expose sensitive information to an unauthorized actor over a network. Microsoft Graph is the API backbone for the entire M365 ecosystem — exposure here can mean visibility into calendars, emails, Teams messages, SharePoint data, and identity information at scale.
Windows Cryptographic Services — CVE-2026-44810 (Improper Authentication EoP)
An improper authentication flaw in Windows Cryptographic Services allows an unauthorized attacker to elevate privileges locally. Exploitation requires an attacker to first log on to the system, then run a specially crafted application, or convince a local user to open a malicious file — after which SYSTEM privileges are obtained. This is a social engineering-assisted local privilege escalation path directly through the cryptographic subsystem.
Elevation of Privilege — The Attack Chain Multiplier
With 65 EoP vulnerabilities, this cycle reinforces a pattern that has defined 2026 threat actor behaviour: initial access via RCE, then EoP to SYSTEM or domain admin. Key EoP-heavy components include Windows DWM Core Library (11 CVEs), Windows Ancillary Function Driver for WinSock (7 CVEs), Windows Push Notifications (4 CVEs), and the Windows Kernel. None of these should be treated as standalone low-priority patches — they are the second stage of every successful attack chain this month.
