BLOG
June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
CRITICAL Microsoft Patch Tuesday RCE Remote Desktop
Strategic summary
In June 2026, Microsoft addressed 206 vulnerabilities, including three publicly disclosed zero-days and 37 critical flaws. Two of these zero-days are an elevation of privilege in Windows CTFMON (CVE-2026-45586) and a BitLocker security feature bypass (CVE-2026-50507). Both were publicly disclosed, and Microsoft assesses exploitation as more likely. The most common risk categories are elevation of privilege (32%) and remote code execution (27%).
Key findings
- Microsoft patched a total of 206 vulnerabilities in June 2026, including three publicly disclosed zero-days and 37 critical flaws.
- Zero-day CVE-2026-45586 allows local elevation of privilege in the Windows CTFMON service and is rated Important with CVSS 7.8.
- CVE-2026-50507 enables BitLocker encryption bypass with physical access, rated Important with CVSS 6.8, and a proof-of-concept exists.
- Neither zero-day is currently exploited in the wild, but Microsoft considers exploitation more likely for both.
- The most common vulnerability types are elevation of privilege (65 patches) and remote code execution (55 patches).
Relevance for you
Monthly Patch Tuesday report with broad vulnerability coverage; strategically not novel , priority is timely patching of critical RCEs in Remote Desktop Client.
Risk score
70
- cvss base
- 45.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 60.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
- consensus penalty
- -3.00
Path: operational
Consensus check
The pipeline self-checks before delivery. These rules lowered the score:
-
TTP_SKIPPEDTTP mapping skipped (placeholder or aggregation article) −3
- Consensus penalty:
- −3.0
- Total penalty:
- −3.0