Microsoft’s June 2026 Patch Tuesday, released on June 9, delivers a staggering 206 security updates across a wide range of products, marking one of the largest update cycles in recent years. The patches address vulnerabilities in Windows, Office, Exchange Server, and various developer tools, with three publicly disclosed Windows flaws taking center stage. Those zero-days affect core components—CTF (the MSCTF subsystem that manages text services), the HTTP.sys kernel-mode driver, and BitLocker encryption—and could allow attackers to escalate privileges, execute remote code, or bypass security features.

The sheer volume of fixes this month reflects an industry-wide push to close gaps before they are exploited. Of the 206 CVEs, 35 are rated Critical, 170 are Important, and one is Moderate. The Critical class includes vulnerabilities that could lead to remote code execution without user interaction, primarily impacting Windows networking stack, the Remote Desktop Client, and several Remote Procedure Call (RPC) endpoints. With so many attack vectors patched, administrators have a daunting patching prioritization task ahead.

Publicly Disclosed Zero-Days Demand Immediate Attention

Three vulnerabilities disclosed before the patch release underscore the urgency of this month’s updates. Although none have been observed under active attack yet, their public disclosure raises the risk of exploit development significantly.

CVE-2026-3016 – CTF Elevation of Privilege

The MSCTF (Microsoft Collaborative Translation Framework) subsystem, better known as the Text Services Framework, harbored a logic flaw that could let an authenticated local attacker gain SYSTEM privileges. CTF is deeply embedded in the Windows GUI and has been a recurrent target; a well-crafted malformed message to a CTF server could trigger the elevation. Because CTF is present on all modern Windows versions, from Windows 10 to the latest Windows 11 24H2 and Windows Server 2025, the attack surface is enormous. No user interaction is required, making any low-privilege process a potential launchpad.

CVE-2026-3037 – HTTP.sys Remote Code Execution

HTTP.sys, the kernel-mode driver that powers the IIS web server and the Windows HTTP stack, contained a critical use-after-free vulnerability. An attacker could send a specially crafted HTTP request to a target system and achieve remote code execution in kernel context. The vulnerability is wormable on Windows Server editions running IIS, meaning it could spread automatically between servers without user interaction. Microsoft has assigned it a CVSS score of 9.8, urging immediate patching for all internet-facing Windows systems. Workarounds include limiting HTTP request sizes via registry settings, but patching is the only reliable mitigation.

CVE-2026-3049 – BitLocker Security Feature Bypass

A flaw in BitLocker’s recovery key mechanism could allow an attacker with physical access to bypass encryption on a locked device. By manipulating the pre-boot authentication environment, an attacker could extract the Volume Master Key without knowing the PIN or recovery key. While this requires physical access, it renders BitLocker’s core protection ineffective on unpatched machines. The update addresses the cryptographic implementation flaw in the Windows boot manager, and Microsoft recommends that all users with BitLocker-enabled drives apply the patch immediately, especially for portable devices like laptops.

Critical RCE and Elevation of Privilege Flaws Across Windows Components

Beyond the zero-days, June’s release fixed a raft of other Critical and Important vulnerabilities. Several stand out for their widespread impact.

Remote Desktop Client RCE (CVE-2026-3055)

A remote code execution bug exists in the Remote Desktop Client (Mstsc.exe). An attacker could convince a user to connect to a malicious RDP server, leading to code execution on the client machine. The vulnerability affects all supported Windows versions, including Windows 10 21H2, Windows 11 23H2 and 24H2, and Windows Server 2022. With remote work still prevalent, this vector is particularly dangerous; social engineering a user into connecting to a compromised RDP server is a common attack pattern.

Windows Print Spooler Elevation of Privilege (CVE-2026-3063)

The much-maligned Print Spooler service returns with yet another elevation of privilege flaw. An authenticated attacker could craft a malicious RpcAddPrinterDriverEx call to load a malicious driver in the spooler process, gaining SYSTEM rights. While PrintNightmare-type vulnerabilities have been addressed repeatedly, this new variant bypasses previous fixes. Microsoft recommends disabling the Print Spooler on domain controllers and systems that do not require printing, but for many enterprises, patching is the only viable path.

LDAP Remote Code Execution (CVE-2026-3080)

A critical vulnerability in the Lightweight Directory Access Protocol implementation allows an unauthenticated attacker to send a malicious LDAP request to a domain controller and gain remote code execution. Exploitation does not require privileged credentials, and a successful attack grants the intruder Domain Admin privileges instantly. Given that LDAP is the backbone of Active Directory, this vulnerability is considered an imminent threat to enterprise identity infrastructure. Organizations should treat domain controller patching as the highest priority.

Windows Defender SmartScreen Bypass (CVE-2026-3039)

SmartScreen, the URL and file reputation service built into Windows, had a bypass that could allow an attacker to deliver a malicious file without triggering the usual warning. By crafting a file with a specific Zone.Identifier alternate data stream, an attacker could trick SmartScreen into trusting a file from the internet. This technique is often used in phishing campaigns to deliver malware. The update ensures that SmartScreen correctly re-evaluates file origins.

Office, Exchange Server, and Developer Tool Patches

The update wave extended far beyond the operating system. Microsoft Office received 12 patches, including one Critical remote code execution (CVE-2026-3058) in the Microsoft Outlook desktop app. Opening a specially crafted email could trigger an automatic download and execution of malicious code, even in the preview pane. The flaw stems from improper validation of MIME attachments. All supported versions of Outlook 2019, Outlook 2021, and Microsoft 365 Apps are affected.

Exchange Server patches address five vulnerabilities, two of which are rated Critical. CVE-2026-3068, a server-side request forgery (SSRF) in Exchange, could allow an authenticated attacker to access internal resources or even execute code on the Exchange server. The other, CVE-2026-3075, is an elevation of privilege in Exchange’s Unified Messaging service that could grant SYSTEM-level access. Because Exchange servers are high-value targets, these updates are particularly urgent. Microsoft reminded customers that all Exchange Server 2019 and 2016 cumulative updates must be current before applying these security patches.

Developer tools were also part of the bundle. Visual Studio got fixes for five information disclosure and denial-of-service bugs. The .NET framework andASP.NET Core received four patches, including a critical deserialization issue (CVE-2026-3071) that could lead to remote code execution in web applications that process untrusted input. Azure Stack Hub, Azure DevOps, and GitHub for Windows also saw updates to close security gaps.

Known Issues and Patching Caveats

Every large patch cycle brings its share of known issues, and June 2026 is no exception. Microsoft noted two specific problems in the release notes:

  • Windows 11 24H2 custom ISO installation failure: Systems that used a custom installation image to deploy Windows 11 24H2 may experience boot failures after applying the June update if the image was created with an older version of the ADK (Assessment and Deployment Kit). The workaround is to rebuild the ISO with the latest ADK or to use the Media Creation Tool. Microsoft is working on a resolution.
  • BitLocker recovery prompt on some devices: A subset of Lenovo and Dell laptops with certain firmware configurations may be prompted for the BitLocker recovery key after installing the update and rebooting. This is a known interaction with the Secure Boot patch; entering the recovery key once resolves the issue. Microsoft advises users to ensure their recovery keys are backed up before applying the update.

Moreover, IT admins report that the Windows Server 2025 update (build 20348.2894) introduced a memory leak in the DNS Server service when DNSSEC is enabled. Microsoft has acknowledged the issue and plans a fix in the July out-of-band update.

Guidance for Enterprise and Home Users

Given the criticality of this month’s patches, Microsoft recommends the following prioritization:

  1. Domain controllers and Exchange servers: Patch immediately due to the LDAP RCE and Exchange SSRF/CVE-3068 vulnerabilities. Even a short exposure window invites catastrophic compromise.
  2. Internet-facing Windows Servers (IIS, RDS): Apply the HTTP.sys and Remote Desktop Client fixes without delay. The wormable nature of HTTP.sys demands immediate action.
  3. Endpoints with BitLocker: Laptop and desktop users should prioritize CVE-2026-3049 to preserve encryption integrity, especially those in high-risk physical environments.
  4. All other Windows systems: Deploy the cumulative update (which includes all OS-level fixes) as part of the regular patch cycle. Use automated update management tools like Microsoft Endpoint Configuration Manager, Windows Server Update Services, or third-party patch solutions to accelerate rollouts.

Home users can rely on Windows Update to download and install the patches automatically. However, they should verify that BitLocker recovery keys are safely stored in their Microsoft account or a printed copy before rebooting, to avoid potential recovery prompts.

Looking Ahead

June 2026’s bumper crop of patches underscores the relentless pace of vulnerability discovery. With three publicly known zero-days and several wormable flaws, this Patch Tuesday will be remembered as a pivotal moment for Windows security. The MSCTF, HTTP.sys, and BitLocker disclosures remind us that even mature, battle-tested components can harbor hidden risks. As always, the most resilient organizations are those that patch quickly, monitor for exploitation, and maintain robust backup and recovery procedures. Microsoft has already signaled that the July update will address the DNS memory leak, and the community expects further hardening of the CTF subsystem after this recent scare.

For now, the message is clear: apply all June 2026 updates without delay, test your backups, and ensure your BitLocker recovery keys are accessible.