June 2026 Patch Tuesday: 198 Fixes, 3 Zero-Days, and What an SMB Should Patch First

Microsoft shipped its June 2026 security updates today, the second Tuesday of the month, and after a couple of comparatively light releases this one is a doozy: 198 vulnerabilities fixed, including three zero-days. The pre-Patch-Tuesday forecasts had this pegged as a quiet month; the actual release was anything but. When a single update carries that many fixes and three flaws that were already known to attackers, the message for a small business is simple: this is not one to leave sitting.

Below is the plain-language version, what is actually in it, what the shape of the release tells you, the three zero-days and what each one means for a Central Coast business, and a prioritized list of how to protect yourself this week. You do not need to read CVE bulletins to make good decisions here; you need to know what to do first.

The headline number: 198 fixes, and what the shape tells you

198 CVEs is one of the heaviest Patch Tuesdays of 2026 so far. Raw counts can be noise, but the shape of a release is informative, and this month it breaks down roughly like this:

• ~63 elevation-of-privilege flaws. These let an attacker who already has some access on a machine promote themselves to full administrator or system control. They are the workhorse of a real intrusion: rarely the way in, almost always the next step. A privilege-escalation-heavy month is a reminder that "they only got a normal user account" is not the same as "we're fine."
• ~54 remote-code-execution flaws. These are the dangerous ones, because they let an attacker run their own code on your system, sometimes with little or no interaction from your staff. RCE is how a malicious document or a crafted network request turns into a foothold. Several of this month's RCEs are rated Critical.
• The rest spread across information disclosure, spoofing, denial of service, security-feature bypass, and tampering.

The takeaway is not the arithmetic; it is that this release touches both halves of an attack, the break-in (RCE) and the takeover (EoP), in volume. That is exactly the profile you patch promptly.

The three zero-days, and what to do about each

A zero-day is a flaw that attackers already knew about, or that was publicly disclosed, before a fix existed, so the usual head start defenders get from patching early is gone. June has three:

• CVE-2026-50507 — BitLocker security-feature bypass. Rated Important, this lets someone with physical or local access to a device get around BitLocker full-disk encryption. For a small business this is the one to feel in your gut, because it maps to an everyday risk: a laptop left in a car, lost at an airport, or stolen from an office. Encryption is what makes a stolen laptop a hardware loss instead of a data breach; a bypass chips at that. It is the same category of problem we covered in the BitLocker bypass post. Patch your laptops first and confirm encryption is actually on.
• CVE-2026-49160 — HTTP.sys denial of service. Rated Important, this flaw in the HTTP/2 stack lets a crafted stream of requests knock an internet-facing Windows web server offline. If you host anything public on a Windows server, this moves to the top of your list, because availability is the whole point of a public server and a DoS takes it down.
• CVE-2026-45586 — publicly known before patch. Microsoft confirmed this one was known to attackers ahead of the fix. The detail matters less than the principle: a flaw that is public on patch day is one attackers are already working with, which is the entire argument for not delaying.

Critical clusters worth knowing about

Beyond the zero-days, a few groups of Critical remote-code-execution fixes stand out, and they map to things real small businesses run:

• Remote Desktop Client. The Remote Desktop client picked up the most concentrated cluster of RCE patches this month, several Critical (for example CVE-2026-44801 and CVE-2026-44799). If your team connects to remote machines, this is relevant, and it is a reminder that exposed Remote Desktop remains one of the most attacked surfaces in small business.
• Windows Hyper-V. Several Critical RCEs (such as CVE-2026-47652 and CVE-2026-45607) allow a guest virtual machine to escape and run code on the host. If you run virtualization, a guest-to-host escape is the nightmare scenario, one compromised VM reaching everything.
• Microsoft Office. Critical RCEs in Outlook and Word (including CVE-2026-45458 and CVE-2026-45456) are exploitable through malicious documents. This is the everyday path: an attachment that does not just phish for a password but runs code when opened. It is why the email-side defenses in the email authentication post and staff awareness matter alongside the patch.

The on-prem server items: Exchange and SharePoint

Two server-side fixes deserve a direct call-out for the businesses still self-hosting. The first is CVE-2026-42897, the Outlook Web Access flaw in on-premises Exchange Server we wrote about in the Exchange zero-day post; it had been held at bay by Microsoft's Exchange Emergency Mitigation Service, and this month it finally gets its permanent patch. Emergency mitigations are temporary by design, so if you run on-prem Exchange, apply the real fix now. The second is CVE-2026-45659, a SharePoint Server remote-code-execution flaw (CVSS 8.8) first shipped out-of-band on May 21 and now rolled into this release, in the same family as the one in our May SharePoint post. Most small businesses use Exchange and SharePoint through Microsoft 365, where Microsoft patches the back end; these are for the shrinking number who still self-host, and they are exactly the kind of server-maintenance burden the cloud migration guide is about removing.

Also this month: the Secure Boot certificate deadline

One item this month is not a vulnerability in the usual sense but has a real date attached. Secure Boot is the protection that stops malicious code from loading before Windows even starts, and it works by trusting boot components signed with certificates, certificates that, on most devices, date to 2011. Those 2011-era certificates are reaching the end of their validity through 2026, and this cycle lands at the end of June.

Microsoft has been distributing updated certificates so devices keep an unbroken chain of trust, but the rollout is not silently guaranteed on every machine. A device that does not receive the updated certificates in time can lose the ability to trust newly signed boot components and to take certain boot-related security updates, quietly eroding a protection most owners do not know they have. This is not a panic, but it is a deadline: install this month's updates and then confirm, device by device, that the Secure Boot certificate update has actually applied. "Windows Update ran" is not the same as "the certificate landed," and that verification step is the one that gets skipped.

How to protect yourself this week

Translated into action, in priority order:

• Install and reboot, everywhere. Run this month's Windows and Office updates on every PC and every server and reboot when prompted. That single step covers the three zero-days and the bulk of the 198 fixes. The machine someone keeps deferring is the one that bites you.
• Laptops first, and verify encryption. Because of the BitLocker bypass, prioritize portable devices and confirm full-disk encryption is actually enabled, so a lost or stolen laptop stays a hardware problem, not a data breach.
• Lock down internet-facing Windows servers. Patch them promptly for the HTTP.sys flaw, and while you are there, confirm that Remote Desktop is not exposed directly to the internet, it should sit behind a VPN or a gateway, never open to the world.
• Self-hosted Exchange or SharePoint: apply now. The CVE-2026-42897 and CVE-2026-45659 fixes are priority server updates, not end-of-cycle ones.
• Confirm Secure Boot certificates. Verify the certificate update applied on each device before the end-of-June deadline.
• Keep MFA and backups in place. Patching lowers the odds of an incident; multi-factor authentication limits what a foothold can reach, and a tested backup is what saves you when something gets through anyway. See the 10 essentials and the backup and DR post.
• Do not forget the orphans. The old PC running one critical app, the server in the closet, the laptop that lives in a bag, those are where patch gaps hide.

Where this fits

• The May 2026 Patch Tuesday post, for last month's release and the patch-cadence habit.
• The BitLocker bypass post, for the encryption-bypass class behind this month's headline zero-day.
• The Exchange zero-day post and the May SharePoint post, for the on-prem server flaws fixed this month.
• The Windows 10 end-of-life post, for the machines that will stop getting any of these updates and what to do about them.
• The 10 essentials and the cybersecurity page, for where patching sits in the full defense.
• The managed IT page, for patch management that is verified across every device.

We run monthly patch management for small businesses across Salinas, Monterey, Santa Cruz, Watsonville, and San Jose, and the rest of the Central Coast, so "we patch every month" is something you can prove, not just hope.

FAQs about the June 2026 Patch Tuesday

How many vulnerabilities did Microsoft fix in the June 2026 Patch Tuesday, and were there zero-days?

Microsoft fixed 198 vulnerabilities in the June 9, 2026 release, making it one of the heaviest Patch Tuesdays of the year so far, and it included three zero-days, flaws that were already being exploited or were publicly known before the fix shipped. By type, the release is dominated by elevation-of-privilege flaws (around 63) and remote-code-execution flaws (around 54), with multiple Critical-rated RCEs in Remote Desktop, Hyper-V, and Office. After a couple of lighter months, this is a busy one, and the combination of three zero-days and many Critical issues means it should be tested and deployed promptly rather than left for the end of your normal cycle.

What are the three zero-days and which matters most to a small business?

The three are CVE-2026-50507, a BitLocker security-feature bypass that lets someone with physical or local access to a device get around full-disk encryption; CVE-2026-49160, an HTTP.sys denial-of-service flaw in the HTTP/2 stack that can knock an internet-facing Windows web server offline with a crafted request; and CVE-2026-45586, a flaw confirmed as known to attackers before the patch was available. For most small businesses the BitLocker bypass is the one to feel in your gut, because it maps to a real everyday risk: a stolen or lost laptop. If you run any internet-facing Windows web server, the HTTP.sys flaw moves to the top of your list. The honest answer, though, is that all three are zero-days and the whole update should go out quickly.

What's the most important thing to patch this month?

Install the full Windows and Office updates through Windows Update on every machine, because that covers the three zero-days and the bulk of the 198 fixes. Then prioritize by what you run: if you have laptops that leave the building, the BitLocker bypass makes prompt patching and confirmed disk encryption a priority; if you run an internet-facing Windows web server, the HTTP.sys flaw is urgent; and if you self-host Exchange or SharePoint, this release carries the permanent fix for the Exchange Outlook Web Access flaw CVE-2026-42897 and a SharePoint remote-code-execution fix CVE-2026-45659. Separately, this month also has the Secure Boot certificate deadline at the end of June, which needs to be confirmed on every device.

What is the Secure Boot certificate deadline, and do we need to worry about it?

Secure Boot is the protection that stops malicious code from loading before Windows starts, and it works by trusting components signed with certificates issued back in 2011. Those original certificates are reaching the end of their validity in 2026, with this cycle landing at the end of June. Microsoft has been distributing updated certificates so devices keep a valid chain of trust, but the rollout is not automatic and guaranteed on every machine, which is the catch. A device that does not receive the updated certificates in time can lose the ability to trust newly signed boot components and to receive certain boot-related security updates, quietly weakening one of its foundational protections. For a small business this is not a fire drill, but it is a real deadline that needs someone to confirm, device by device, that the certificate update has actually applied.

We're a small business with no IT staff. How do we keep up with Patch Tuesday every month?

The honest answer is that doing it well by hand is hard, which is why most small businesses either fall behind or never confirm that updates actually landed. The practical baseline is to make sure Windows Update is enabled and not endlessly deferred on every machine, reboot when asked rather than clicking "remind me later" for weeks, and not forget the servers and the one old PC running a critical app that everyone avoids touching. Beyond that baseline, managed patch management is exactly the kind of unglamorous, high-value work a managed IT provider handles: updates are deployed centrally, tested, and then verified across every device, including the servers and the edge cases, so "we patch monthly" becomes something you can actually prove rather than hope.

Can we wait to install this month's updates?

Not on this one. June carries three zero-days that attackers already knew about, plus multiple Critical remote-code-execution flaws, which is exactly the profile where waiting is dangerous. The moment a patch ships, the underlying flaw is public and criminals build exploits aimed at whoever has not applied it, and with zero-days some of that work was already done before patch day. A short, sensible test-then-deploy window is fine and smart; leaving a 198-CVE, three-zero-day update sitting for weeks is not. If you cannot patch immediately, prioritize the zero-days and any internet-facing servers first, then catch up the rest quickly.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.