Skip to content
Auto-CTI
Back to all deep dives
BLOG

June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days

CRITICAL Microsoft Patch Tuesday RCE Remote Desktop

Strategic summary

In June 2026, Microsoft addressed 206 vulnerabilities, including three publicly disclosed zero-days and 37 critical flaws. Two of these zero-days are an elevation of privilege in Windows CTFMON (CVE-2026-45586) and a BitLocker security feature bypass (CVE-2026-50507). Both were publicly disclosed, and Microsoft assesses exploitation as more likely. The most common risk categories are elevation of privilege (32%) and remote code execution (27%).

Key findings

  • Microsoft patched a total of 206 vulnerabilities in June 2026, including three publicly disclosed zero-days and 37 critical flaws.
  • Zero-day CVE-2026-45586 allows local elevation of privilege in the Windows CTFMON service and is rated Important with CVSS 7.8.
  • CVE-2026-50507 enables BitLocker encryption bypass with physical access, rated Important with CVSS 6.8, and a proof-of-concept exists.
  • Neither zero-day is currently exploited in the wild, but Microsoft considers exploitation more likely for both.
  • The most common vulnerability types are elevation of privilege (65 patches) and remote code execution (55 patches).

Relevance for you

Monthly Patch Tuesday report with broad vulnerability coverage; strategically not novel , priority is timely patching of critical RCEs in Remote Desktop Client.

Risk score

70
cvss base
45.00
kev bonus
0.00
epss bonus
0.00
poc bonus
15.00
raw before weight
60.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00
consensus penalty
-3.00

Path: operational

Consensus check

The pipeline self-checks before delivery. These rules lowered the score:

  • TTP_SKIPPED TTP mapping skipped (placeholder or aggregation article) −3
Consensus penalty:
−3.0
Total penalty:
−3.0
ESC