All posts

June 2026 Patch Tuesday, One Month On: Check Before July 14

Patch Tuesday reporting usually ends the day it begins: the release lands, the counts get published, everyone moves on. But the month AFTER a Patch Tuesday is where the real account gets settled: which vulnerabilities attackers actually picked up, which exploit predictions moved, and which servers quietly missed their update ring. With the next release landing Tuesday, July 14, here is the honest one-month review of June 2026, and the checklist to run before the new wave arrives.

June 2026 Patch Tuesday by the numbers

  • 33 updates released on June 9, 2026 across Windows client and server builds.
  • 244 unique CVEs fixed. 15 of the updates carry Severity Critical, 18 Severity High.
  • 4 updates fix CVEs that appear in CISA's Known Exploited Vulnerabilities catalog.

The full release, ranked by real-world risk rather than press attention, is on our Patch Tuesday tracker, and the June release is archived in full detail at Patch Tuesday June 2026.

The Critical fixes worth re-verifying

A month of exploit-prediction data separates the paper Criticals from the practical ones. These June fixes deserve a deployment audit today:

  • CVE-2026-45657: Windows Kernel Remote Code Execution, CVSS 9.8. Kernel RCEs are the class attackers hoard.
  • CVE-2026-47291: HTTP.sys Remote Code Execution, CVSS 9.8. The Zero Day Initiative published a detailed technical analysis this week, and public analysis of an unauthenticated web-facing RCE is historically the step before public exploitation.
  • CVE-2026-45602: Windows DHCP tampering, CVSS 9.8, and an EPSS exploit probability that has climbed to 48 percent. We published a dedicated patch-priority guide for this one.
  • CVE-2026-44815: DHCP Client Service Remote Code Execution, CVSS 9.8. Two Critical DHCP-layer flaws in one release is a pattern worth noticing: network-infrastructure services are getting attention.
  • CVE-2026-47643: Azure Stack Edge Remote Code Execution, CVSS 9.8, for hybrid-edge estates.

Every link above is a live page with current Severity, EPSS, CISA KEV status, and the fixing KB for each build, refreshed multiple times daily. The June cumulative updates people search for most, led by KB5094123 and KB5093998, each have the same live treatment.

What the month actually brought: 23 new exploited vulnerabilities

Since June 9, CISA has added 23 vulnerabilities to the Known Exploited Vulnerabilities catalog. Only one is a Microsoft CVE, and that is the point: patching Windows on schedule while attackers spend their month elsewhere is a win, but only if you are also watching the elsewhere.

The loudest of those additions was CVE-2026-35273, an Oracle PeopleSoft zero-day under active exploitation, covered in depth by Rapid7 and in the context of Oracle's 243-CVE June update by Tenable. It currently tops our cross-vendor ranking of the hottest CVEs and patches.

Two free trackers cover this continuously: Exploited this week lists every new KEV catalog addition across all vendors, and the non-Microsoft exploited CVE tracker keeps the full non-Microsoft catalog sortable by vendor, CVSS, and ransomware linkage.

The before-July-14 checklist

  • Verify June actually deployed. Not approved: deployed. Check your update rings for the June cumulative updates, especially on Windows Server 2019 and Windows 10 1809 fleets.
  • Close the five Criticals above by name. A 9.8 with a published technical analysis or a rising EPSS score is not a background task.
  • Sweep the non-Microsoft estate. 22 of the month's 23 newly exploited vulnerabilities were not Microsoft. PeopleSoft, network appliances, and file-transfer tools are where the KEV catalog grew.
  • Baseline before the new wave. A clean picture of June makes July triage twice as fast. Our Microsoft patch tracker ranks every current KB by Severity, exploitation, and search demand in one table.

Why the month-after view matters

CVSS is assigned on day one and rarely moves. Exploitation is a process: EPSS probabilities shift as proof-of-concept code appears, analyses get published, and scanning starts. A patch program that only reads day-one severity is triaging on stale data by week two. That is why every tracker linked above re-ranks continuously, and why the July 14 release will get the same treatment: day-one numbers first, then the month of truth that follows.

All release data comes from Microsoft's MSRC feed, exploitation status from the CISA KEV catalog, and exploit probability from FIRST.org EPSS, refreshed multiple times daily across every page linked here.

All posts

Patching across Intune, Windows Autopatch, Defender, Azure, and your endpoint managers: see Senserva patching in action.