“Test and stage the critical Windows kernel RCE (CVE-2026-45657) patch in your pilot group today — don't wait for Patch Tuesday full rollout.”
June 2026 Patch Tuesday: Microsoft Addresses 198 CVEs Including Critical Updates Across Azure, M365 Copilot, and More
On June 9, 2026, Microsoft released security advisories covering 198 CVEs across a broad range of products including Azure Kubernetes Service, Azure Privileged Identity Management, Azure Logic Apps, M365 Copilot for Desktop, and Microsoft Authenticator. Critical patches were issued for Azure Connected Machine Agent, Azure Stack Edge, Azure Resource Manager, and several other core Azure services. MSPs should prioritise deploying these patches immediately, especially for internet-facing Azure workloads.
Read more →CVE-2026-50507 (BitSkrieg): Windows BitLocker Security Feature Bypass — Physical Access Zero-Day Patched
CVE-2026-50507, known as 'BitSkrieg', is a publicly disclosed BitLocker bypass zero-day patched in the June 2026 Patch Tuesday. Exploitation requires physical device access but allows attackers to access data on BitLocker-encrypted drives via the Windows Recovery Environment. Post-patch reports suggest the fix may be incomplete — MSPs should verify the patch is applied and monitor for follow-up advisories.
Read more →HTTP/2 Bomb (CVE-2026-49975) Still Unpatched — Microsoft IIS Among Affected Platforms
CVE-2026-49975, dubbed 'HTTP/2 Bomb', became public knowledge in early June 2026 and allows trivial denial-of-service attacks against the default HTTP/2 configuration of multiple web server platforms including Microsoft IIS. As of the June 9 Patch Tuesday, Microsoft had not yet directly addressed this vulnerability. MSPs hosting IIS or other HTTP/2-enabled web services should consider disabling HTTP/2 on default configurations as a temporary mitigation.
Read more →CVE-2026-45657: Critical Windows Kernel RCE (CVSS 9.8) Patched June 2026
CVE-2026-45657 is a critical Windows Kernel remote code execution vulnerability disclosed on June 9 with a CVSS base score of 9.8, allowing remote unauthenticated attackers to execute code at SYSTEM level. While exploit code maturity is currently listed as unproven, the severity and broad attack surface make rapid patching essential. Apply the June Patch Tuesday cumulative update and reboot affected systems without delay.
Read more →Seven Critical Remote Desktop Client RCEs Patched — CVE-2026-42985 Rated Exploitation More Likely
Microsoft patched seven critical RCEs in Windows Remote Desktop Client this Patch Tuesday, with CVSS scores from 7.5 to 8.8; CVE-2026-42985 is assessed as 'Exploitation More Likely' and involves a heap-based buffer overflow triggered when a victim connects to an attacker-controlled RDP server. Organisations should patch RDP clients promptly and consider blocking outbound RDP to untrusted hosts.
Read more →This is what you get — every weekday, free.
Subscribers get the full “From the Floor” take with every issue — not just the news summary you just read.
Written from 12 years on the helpdesk floor. Always free.