Microsoft has rolled out its June 2026 Patch Tuesday updates, addressing a significant 198 vulnerabilities across its range of products. This month's update is particularly notable for including three zero-day vulnerabilities that were already being exploited before the patches were available. These zero-day vulnerabilities highlight ongoing threats related to encryption bypass, service disruption, and boot-path integrity, urging administrators to act swiftly.

Among the critical vulnerabilities, CVE-2026-50507 involves a security feature bypass in Windows BitLocker. This issue could allow attackers with physical or local access to circumvent full-disk encryption, posing a serious risk to organizations relying on BitLocker as a last defense for lost or stolen devices. Another significant vulnerability, CVE-2026-49160, affects the HTTP.sys component. This vulnerability could lead to a denial of service on internet-facing servers, making it essential for organizations with web-facing infrastructure to prioritize.

The third zero-day, CVE-2026-45586, adds to the urgency for immediate patch deployment. In addition to these zero-days, the update includes 54 remote code execution (RCE) vulnerabilities, with several rated as Critical. Remote Desktop Client and Windows Hyper-V are among the most affected, with multiple Critical-rated RCE vulnerabilities that could allow VM guest escape and code execution on the host.

Privilege escalation vulnerabilities are also prevalent, with 63 elevation of privilege (EoP) flaws identified. Significant components affected include the Windows DWM Core Library and the Windows Kernel. Notably, the Microsoft Cryptographic Services EoP vulnerability, CVE-2026-44810, targets a fundamental security subsystem and is of particular concern.

Security teams are advised to prioritize updates for BitLocker, HTTP.sys, Remote Desktop, and Hyper-V hosts. Immediate patching is crucial, but where it is not feasible, measures such as network segmentation and limiting RDP exposure can mitigate risks until patches are deployed.