Skip to content
WhySoGeek.
News

June Patch Tuesday: 206 Fixes and 3 Zero-Days

Microsoft's June 2026 Patch Tuesday addressed 206 vulnerabilities, including three zero-days and 37 critical flaws across its products.

Sam Carter 9 min read
Cover image for June Patch Tuesday: 206 Fixes and 3 Zero-Days
Photo: swanksalot / flickr (BY-NC-SA 2.0)

Microsoft's June 2026 Patch Tuesday landed 206 fixes in a single drop, three of them for zero-days already public before the patch shipped. If you run Exchange or anything internet-facing, this is not a "patch when you get to it" month. The volume is the new normal, and triage is the only sane response.

Quick answer

Microsoft's June 2026 Patch Tuesday (June 9) fixed 206 vulnerabilities, including 3 publicly disclosed zero-days and about 37 rated critical. Patch the zero-days and the critical Exchange spoofing bug (CVE-2026-42897, CVSS 8.1) first, especially on any internet-facing server. Consumers and small offices can simply run Windows Update; the heavy lifting falls on IT teams who must prioritize exposed, high-value systems over the long tail.

Key takeaways

  • June 2026 Patch Tuesday (June 9) fixed 206 vulnerabilities, one of the largest single releases on record.
  • 3 were publicly disclosed zero-days; roughly 37 were rated critical.
  • Headline bugs: an HTTP/2 issue (CVE-2026-49160) and a critical Exchange spoofing flaw (CVE-2026-42897, CVSS 8.1) tied to cross-site scripting in Outlook Web Access.
  • Patch order should follow exposure and exploitability, not CVE count: public zero-days and internet-facing servers first.
  • 200-plus CVE months are now the baseline, not the exception, so this is a recurring operational load.

What happened

Microsoft released fixes for 206 vulnerabilities on June 9, 2026, including three publicly disclosed zero-days and around 37 flaws rated critical. The two most-discussed bugs were CVE-2026-49160, covered as an HTTP/2 problem in the Windows networking stack, and CVE-2026-42897, a spoofing vulnerability in Microsoft Exchange Server rated critical at CVSS 8.1 and tied to a cross-site scripting issue in Outlook Web Access (OWA).

The "publicly disclosed" label is what raises the stakes. A zero-day whose details are already in the open means attackers had a head start before the patch existed, so the window between disclosure and mass exploitation is short. Security analysts framed the 206 count as a continuation of a trend, not an anomaly: recent Patch Tuesdays have routinely topped 200 CVEs, a level once considered exceptional.

Note

CVSS is a standardized severity score from 0 to 10. Above 8 generally signals a serious flaw warranting prompt patching, but CVSS alone does not capture whether a bug is being actively exploited, which is why public zero-days jump the queue regardless of score.

How to prioritize 206 fixes

Nobody patches 206 CVEs in order. The job is ranking them by real-world risk. Here is the triage logic defenders actually use.

PriorityWhat qualifies this monthWhy it goes first
1. Public zero-daysThe 3 publicly disclosed flawsDetails already out; shortest time to exploitation
2. Critical, internet-facingExchange OWA spoofing (CVE-2026-42897)Exposed servers are scanned constantly
3. Critical, internalThe other ~36 critical CVEsHigh impact but needs a foothold first
4. Important / the long tailThe remaining ~165 fixesRoll out on the normal patch cycle

For a home user or a small office, this triage is invisible: Windows Update applies everything in one pass. The complexity is an enterprise problem, where servers, change windows, and uptime requirements mean you cannot just reboot everything at once.

A server room with security monitoring dashboards
Photo: J Dueck / flickr (BY 2.0)

Why the Exchange flaw is the standout

Server software is where spoofing bugs do real damage. Outlook Web Access is internet-facing in a large share of organizations, so a spoofing flaw there gives attackers a way to impersonate trusted content, set up convincing phishing, or chain into further access. Exchange has been a perennial target for years precisely because it sits at the boundary between the public internet and an organization's email and identity. Patching CVE-2026-42897 promptly, and confirming OWA is not needlessly exposed, is the single highest-value action this month for anyone running on-premises Exchange.

What to do tonight

  • Home and small office: open Settings, then Windows Update, click Check for updates, install, and reboot. That covers you.
  • IT teams: patch the three public zero-days first, then the Exchange/OWA spoofing bug on any internet-facing server.
  • Cross-check each CVE against CISA's Known Exploited Vulnerabilities catalog; anything listed there moves to the top regardless of CVSS.
  • Confirm no critical server skipped its reboot, since many of these fixes do not take effect until restart.
  • Schedule the remaining "Important" fixes on your normal cycle rather than rushing all 206 at once.

The bigger picture

The "new normal" of 200-plus CVE updates reflects both growing software complexity and more aggressive coordinated-disclosure research that surfaces flaws faster. The result is a continuous patching burden rather than occasional big-bang updates. The same month saw active exploitation elsewhere; for related 2026 server-side incidents, see the SharePoint ToolShell flaw that demanded immediate patching and the SonicWall SSL VPN mass-exploitation campaign by the Akira ransomware crew. Patching is not an event; it is an operating discipline.

Frequently asked questions

How many vulnerabilities did Microsoft fix in June 2026?

206 vulnerabilities, including 3 publicly disclosed zero-days and roughly 37 rated critical, released on June 9, 2026.

Which fixes should I apply first?

The three publicly disclosed zero-days, then the critical Exchange spoofing bug (CVE-2026-42897) on any internet-facing server. After that, work through the remaining critical CVEs by exposure.

What is a publicly disclosed zero-day?

A flaw whose technical details became public before or around the time a patch shipped. Because attackers already have a head start, these carry extra urgency even when their CVSS score is not the highest.

Do home users need to do anything special?

No. Running Windows Update installs all of these fixes in one pass. The prioritization complexity only matters for organizations managing many servers with uptime constraints.

Why are Patch Tuesdays routinely over 200 CVEs now?

More software complexity and far more active vulnerability research, including coordinated-disclosure programs, mean more flaws are found and fixed each month. The 200-plus baseline is expected to continue.

#news#security

Sources & further reading

Keep reading