Microsoft has shipped one of its largest monthly updates of the year, fixing 206 security flaws across Windows, Office, Azure and more. Of those, 32 are rated critical and 28 of the critical bugs allow remote code execution, meaning an attacker could run their own commands on a vulnerable machine. Cisco Talos, which analyzed the release, flagged four bugs that Microsoft considers more likely to be exploited, so they should jump to the top of every patching queue.
What's affected
The June 2026 Patch Tuesday touches a wide range of Windows components, including Active Directory, the Kerberos key distribution center, Hyper-V, the Windows kernel, Remote Desktop, and the HTTP protocol stack that powers IIS web servers. Office, Outlook, Word, SQL Server and Azure Kubernetes Service also received critical fixes.
The bugs to patch first
According to research published by Cisco Talos analyst Chetan Raghuprasad, four flaws stand out as the most likely targets. CVE-2026-47291 is an unauthenticated remote code execution bug in the Windows HTTP Protocol Stack (http.sys): an attacker can take over an internet-facing server simply by sending it a specially crafted packet, with no login required. CVE-2026-42985 is a critical heap overflow in the Remote Desktop client that can be triggered when a user connects to a malicious RDP server. CVE-2026-44803 and CVE-2026-44812 are memory corruption flaws in the Windows graphics component that let an attacker run code locally.
Talos also highlighted CVE-2026-45657, a use after free in the Windows kernel that Microsoft says can be hit purely over the network. Crafted TCP/IP traffic could let an unauthenticated attacker run code with SYSTEM privileges, the kind of low interaction, network reachable bug that worms and mass scanners love. Outlook users should note CVE-2026-45456 and related Office type confusion bugs that can fire through the Outlook preview pane, so a target may not even need to open the malicious email.
What you should do
Apply the June updates as soon as testing allows, prioritizing internet-facing servers running http.sys and any systems exposed to untrusted RDP connections. Talos has released Snort coverage (Snort 2 rules 66572 to 66577 and others, Snort 3 rules 301523 to 301532) to detect exploitation attempts for organizations that cannot patch immediately. The full list of fixes is on Microsoft's update guide.
You can read the original Talos analysis for the complete breakdown of all 206 vulnerabilities.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.