In a significant move during June’s Patch Tuesday, Microsoft has addressed a staggering 206 vulnerabilities, marking a new record for the company. This surpasses the previous high of 175 vulnerabilities patched in October 2025. The updates span across various Microsoft products, including Windows, Office, Exchange Server, and cloud services, reflecting the company’s ongoing commitment to security.
Windows Security Vulnerabilities
Among the vulnerabilities patched, 118 are associated with different versions of Windows, including Windows 10, Windows 11, and Windows Server. This extensive update aims to fortify the operating system against potential threats.
Windows Defender Under Fire
Notably, one vulnerability, classified as CVE-2026-41091, poses an immediate risk as it is actively being exploited. This Elevation of Privilege (EoP) vulnerability in Microsoft Defender allows attackers to gain system-level privileges. Microsoft has responded by updating the Malware Protection Engine, which now has a version number of at least 1.1.26040.8. Users can verify their engine version through the Windows Security settings on their devices.
Secure Boot Vulnerabilities
June also marks the expiration of old Secure Boot certificates, prompting essential updates. Microsoft has addressed ten vulnerabilities within the Security Feature Bypass (SFB) category, which could allow malicious code to execute during system startup, prior to the activation of security measures.
Critical Windows Vulnerabilities
Among the 118 vulnerabilities in Windows, 19 are classified as critical Remote Code Execution (RCE) vulnerabilities. For instance, CVE-2026-47288 in the Windows kernel allows attackers to execute injected code with system privileges without authentication. Another concerning vulnerability, CVE-2026-47291, affects the HTTP service, enabling code injection without authentication under specific conditions.
Microsoft Office Vulnerabilities
In the realm of Microsoft Office, the company has patched 54 vulnerabilities, doubling the number from May. This includes 25 RCE vulnerabilities, with nine deemed critical. Notably, the preview pane in Office can serve as an attack vector, allowing exploitation without the need for users to open malicious files.
Microsoft Hyper-V Sandbox Escapes
Critical RCE vulnerabilities such as CVE-2026-45607 and CVE-2026-45641 could permit malicious code to escape from guest systems, posing a risk to host systems.
Microsoft Exchange Server MITM Attacks
Microsoft has also addressed eight vulnerabilities in Exchange Server, including CVE-2026-45583, which can be exploited in a man-in-the-middle (MITM) scenario. Additionally, a critical data leak vulnerability, CVE-2026-48579, has been patched, which could allow attackers to execute code within an administrator’s web session.
Microsoft Edge Zero-Day Vulnerability
The recent security update for Edge, version 149.0.4022.62, addresses 74 Chromium vulnerabilities, including a zero-day vulnerability in the Chromium base (CVE-2026-11645). This highlights the importance of keeping all software components up to date to mitigate security risks.
Tip: To maintain security and privacy, it is essential to keep Windows updated and utilize robust antivirus protections. Consider exploring the best antivirus software and VPN services available.
