June's Patch Tuesday is the kind of month that ruins a security team's week. Microsoft shipped fixes for roughly 200 vulnerabilities on June 9, 2026 — the largest single Patch Tuesday in the program's history by most counts. Tallies vary between vendors (you'll see numbers from 198 to 208 floating around, depending on how each shop counts republished Chromium and third-party CVEs), but the shape of the release is not in dispute: it is enormous, it includes six zero-days, and one of those is already being used in attacks.
A note on the counting before we go further. The exact CVE total depends entirely on methodology, and reasonable outlets disagree. We're treating "around 200 Microsoft-authored CVEs" as the working number and flagging the headline items individually. When the count is fuzzy, the right move is to prioritize by exploitability, not to argue about the denominator.
The Numbers, Honestly
Of the roughly 200 fixes, several dozen are rated Critical. The category breakdown is worth internalizing because it tells you where the pressure is. Elevation-of-privilege flaws lead the count, followed closely by remote code execution, then information disclosure, spoofing, security feature bypass, and a smaller tail of denial-of-service issues.
Elevation of privilege leading the pack is the usual story — these are the bugs that turn a foothold into game over. But the large block of RCE flaws, a meaningful share of them rated Critical, is what should drive your patch sequencing this cycle. You cannot meaningfully test and deploy 200 patches in a day. You triage.
The One That's Already Being Exploited
If you read nothing else, read this. The standout item is a Microsoft Exchange Server spoofing vulnerability that, per the advisory, is being exploited in the wild. It allows an attacker to run arbitrary JavaScript in the context of Outlook Web Access. That framing undersells it: spoofing-class Exchange bugs that execute attacker-controlled script in OWA are a credential-harvesting and session-hijacking dream, and Exchange remains one of the most targeted enterprise surfaces on the planet.
The "exploited in attacks" label is the single most important signal in any Patch Tuesday. It means the theoretical has become operational. If you run on-prem Exchange, this patch jumps the queue ahead of everything else in the release, full stop. Internet-facing OWA with a live exploit is precisely the profile that gets organizations onto CISA's Known Exploited Vulnerabilities catalog and into incident reports.
The Five Publicly Disclosed Zero-Days
The other five zero-days were publicly disclosed but, as of patch release, not confirmed exploited. Public disclosure still matters: it shortens the window between "researchers know" and "attackers have working code." The five are a mix of privilege escalation and security feature bypass:
- A Windows CTFMON elevation-of-privilege flaw
- A Windows Cloud Files Mini Filter privilege escalation
- A Windows BitLocker security feature bypass
- A second, separate BitLocker bypass
- An HTTP/2 denial-of-service flaw
Two independent BitLocker bypasses landing in the same month is notable. BitLocker is the control a lot of organizations lean on for lost-or-stolen-device risk and for regulatory "data at rest was encrypted" arguments. A bypass with public details erodes both the technical protection and the compliance story. If you depend on BitLocker as a load-bearing control, treat both bypasses as higher priority than their security-feature-bypass labels might suggest. The privilege-escalation flaws generally require existing access — real, but second in line behind anything internet-reachable.
The Wormable Kernel RCE
The headline Critical of the release is a Windows Kernel remote code execution vulnerability rated at the top of the CVSS scale (reported around 9.8). The reason it earns its own section: per the advisory it is remote, unauthenticated, requires no user interaction, and executes at SYSTEM. Researchers flagged it as the bug of the month, and reporting points to the kernel's handling of network traffic as the root cause — the kind of profile that makes a flaw wormable.
"Wormable" is a word the industry over-uses, so be precise about what it means here. It means a single exploit can, in principle, spread machine to machine without a human clicking anything — the EternalBlue and BlueKeep pattern. That class of bug is what turns a routine patch cycle into a 2 a.m. incident bridge.
The one piece of cooler-headed context: Microsoft has assessed exploitation as "less likely" and there is no public exploit or active attack known at the time of writing. That assessment is genuinely useful, and it's not the same as "exploited." But a near-maximum CVSS plus remote-unauthenticated-at-SYSTEM plus a now-public patch to diff is exactly the recipe attackers reverse-engineer fastest. The honest read: not a panic, but a hard deadline. Patch it on the same priority tier as the exploited Exchange bug, especially anywhere the affected service is exposed to untrusted networks.
How to Actually Sequence This Month
A pragmatic order of operations, because "patch everything now" is not a plan:
- The Exchange spoofing bug — exploited in the wild. Internet-facing. Do it first.
- The kernel RCE — wormable, top-of-scale CVSS. Prioritize external-facing and lateral-movement-critical hosts.
- The two BitLocker bypasses — if BitLocker is a load-bearing control for you.
- The remaining Critical RCEs — a large block of them this cycle; rank by exposure and asset value.
- Everything else — into your normal cadence, prioritized by what's actually reachable in your environment.
The recurring lesson of large Patch Tuesdays is that the CVE count is a distraction. What matters is the small set of bugs that are exploited, wormable, or sitting on assets an attacker can actually reach. Map this release against your own attack surface before you let the headline number set your stress level.
How Safeguard Helps
Safeguard turns a 200-CVE dump into a ranked, evidence-backed worklist scoped to your actual environment. Our multi-agent verification layer — the TAOR Deep Think engine orchestrating Griffin AI and pluggable models — correlates each advisory against your AIBOM and software bill of materials, your real exposure, and live exploitation signals, so an exploited Exchange flaw and a wormable kernel RCE float to the top while the noise sinks. Because reliability lives in the verification layer above any single model, you get fewer false positives and a defensible reason for the order in which you patch. Want help triaging this month's release against your own surface? Reach out.