Patch and vulnerability tracker / Microsoft Patch Tuesday

Microsoft Patch Tuesday: June 2026

Analysis by Mark Shavlik · Updated 2026-07-01

This Patch TuesdayELEVATEDbecause 1 CVE is already being exploited in the wildNext: July 14, 2026 (13 days)
Patch the exploited item first, as always

This month is lighter on raw volume, but volume is not the story on Patch Tuesday, exploitation is. At least one fix this release closes a vulnerability already being used in attacks, so that is where every team should start, then work down by EPSS exploit probability and severity. If you have not automated the question of which of these updates you are actually missing, that is the gap that turns a patch list into an incident.

June 2026 take, by Mark Shavlik

The place to start on Patch Tuesday. Every month Microsoft releases its security updates on the second Tuesday, and this page ranks them by what attackers are actually exploiting, calls out the zero-days by name, and keeps a full history. Next Patch Tuesday: July 14, 2026.

June 2026 at a glance

Microsoft shipped 33 updates fixing 244 CVEs this release.
33
Updates (KBs)
244
CVEs fixed
1
Actively exploited
0
Ransomware-linked
15
Critical updates

Open the full patch trackerSee the historySubscribe (RSS)

The trend

244183122610January 2025: 149 CVEs fixed, 3 with known attacksJan25February 2025: 45 CVEs fixed, 2 with known attacksMarch 2025: 86 CVEs fixed, 9 with known attacksMar25April 2025: 110 CVEs fixed, 1 with known attacksMay 2025: 40 CVEs fixed, 4 with known attacksMay25June 2025: 99 CVEs fixed, 7 with known attacksJuly 2025: 64 CVEs fixed, 5 with known attacksJul25August 2025: 243 CVEs fixed, 5 with known attacksSeptember 2025: 61 CVEs fixed, 0 with known attacksSep25October 2025: 139 CVEs fixed, 4 with known attacksNovember 2025: 11 CVEs fixed, 0 with known attacksNov25December 2025: 224 CVEs fixed, 6 with known attacksJanuary 2026: 109 CVEs fixed, 3 with known attacksJan26February 2026: 39 CVEs fixed, 5 with known attacksMarch 2026: 61 CVEs fixed, 0 with known attacksMar26April 2026: 153 CVEs fixed, 2 with known attacksMay 2026: 141 CVEs fixed, 1 with known attacksMay26June 2026: 244 CVEs fixed, 1 with known attacksJanuary 2025: 3 CVEs with known attacks addedFebruary 2025: 2 CVEs with known attacks addedMarch 2025: 9 CVEs with known attacks addedApril 2025: 1 CVEs with known attacks addedMay 2025: 4 CVEs with known attacks addedJune 2025: 7 CVEs with known attacks addedJuly 2025: 5 CVEs with known attacks addedAugust 2025: 5 CVEs with known attacks addedSeptember 2025: 0 CVEs with known attacks addedOctober 2025: 4 CVEs with known attacks addedNovember 2025: 0 CVEs with known attacks addedDecember 2025: 6 CVEs with known attacks addedJanuary 2026: 3 CVEs with known attacks addedFebruary 2026: 5 CVEs with known attacks addedMarch 2026: 0 CVEs with known attacks addedApril 2026: 2 CVEs with known attacks addedMay 2026: 1 CVEs with known attacks addedJune 2026: 1 CVEs with known attacks added
CVEs fixed CVEs with known attacks added

Actively exploited this release

These are the June 2026 CVEs already being exploited in the wild (on the CISA KEV list). Patch them first, everywhere.

No CVEs from the June 2026 release are on the CISA KEV list yet. That can change within days of release, so check back, and patch the highest-risk items below in the meantime.

June 2026 breakdown

What Microsoft fixed this release, by impact type and by product. Expand any row for what it means and the CVEs behind it, each linked to its full page.

By impact type

Impact types unavailable.

Most-affected products

No product data.

By the numbers

Upcoming Patch Tuesday dates

Microsoft ships updates on the second Tuesday of each month. Add them to your calendar in one click.

Add all upcoming dates to your calendar (.ics)

How to prioritize on Patch Tuesday

  1. Exploited first. Anything on CISA KEV is being used in attacks now. Patch it before anything else.
  2. Then high exploit-probability. Sort the rest by FIRST.org EPSS, the chance a CVE is exploited soon.
  3. Then Critical severity. Remote code execution on internet-facing systems comes next.
  4. Match it to your estate. A CVE only matters if you run the affected product. Senserva ranks these against the updates actually missing on your own devices.

Patch Tuesday history

Every month since we started tracking, newest first. Tracking 25 releases, 935 updates and 83 actively-exploited CVEs in total.

244183122610June 2024: 23 CVEs, 4 Critical, 1 exploited, 0 ransomware-linkedJun24July 2024: 50 CVEs, 0 Critical, 2 exploited, 1 ransomware-linkedAugust 2024: 190 CVEs, 35 Critical, 10 exploited, 1 ransomware-linkedSeptember 2024: 166 CVEs, 5 Critical, 6 exploited, 0 ransomware-linkedSep24October 2024: 105 CVEs, 11 Critical, 3 exploited, 0 ransomware-linkedNovember 2024: 82 CVEs, 9 Critical, 2 exploited, 1 ransomware-linkedDecember 2024: 70 CVEs, 16 Critical, 1 exploited, 0 ransomware-linkedDec24January 2025: 149 CVEs, 14 Critical, 3 exploited, 0 ransomware-linkedFebruary 2025: 45 CVEs, 0 Critical, 2 exploited, 0 ransomware-linkedMarch 2025: 86 CVEs, 0 Critical, 9 exploited, 1 ransomware-linkedMar25April 2025: 110 CVEs, 0 Critical, 1 exploited, 1 ransomware-linkedMay 2025: 40 CVEs, 0 Critical, 4 exploited, 0 ransomware-linkedJune 2025: 99 CVEs, 0 Critical, 7 exploited, 0 ransomware-linkedJun25July 2025: 64 CVEs, 5 Critical, 5 exploited, 3 ransomware-linkedAugust 2025: 243 CVEs, 28 Critical, 5 exploited, 0 ransomware-linkedSeptember 2025: 61 CVEs, 0 Critical, 0 exploited, 0 ransomware-linkedSep25October 2025: 139 CVEs, 11 Critical, 4 exploited, 0 ransomware-linkedNovember 2025: 11 CVEs, 0 Critical, 0 exploited, 0 ransomware-linkedDecember 2025: 224 CVEs, 21 Critical, 6 exploited, 0 ransomware-linkedDec25January 2026: 109 CVEs, 11 Critical, 3 exploited, 0 ransomware-linkedFebruary 2026: 39 CVEs, 0 Critical, 5 exploited, 0 ransomware-linkedMarch 2026: 61 CVEs, 0 Critical, 0 exploited, 0 ransomware-linkedMar26April 2026: 153 CVEs, 10 Critical, 2 exploited, 0 ransomware-linkedMay 2026: 141 CVEs, 15 Critical, 1 exploited, 0 ransomware-linkedJune 2026: 244 CVEs, 15 Critical, 1 exploited, 0 ransomware-linkedJun26
CVEs fixed Actively exploited Critical Ransomware-linked
MonthUpdatesCVEsExploitedRansomwareCritical
June 2026332441015
May 2026691411015
April 2026531532010
March 20263861000
February 20262939500
January 2026271093011
December 2025552246021
November 20251611000
October 2025571394011
September 20253061000
August 2025672435028
July 20253764535
June 20253199700
May 20251840400
April 202535110110
March 20253386910
February 20251745200
January 2025441493014
December 202427701016
November 20243482219
October 2024431053011
September 202445166605
August 20244919010135
July 20243250210
June 20241623104

Month-by-month recap

Expand any month for a plain-English summary of that Patch Tuesday.

June 2026244 CVEs fixed1 exploited

The June 2026 Microsoft Patch Tuesday shipped 33 updates (KB articles) fixing 244 CVEs, 15 of them rated Critical severity. 1 was already being exploited in the wild (on the CISA KEV list) and needed patching first.

May 2026141 CVEs fixed1 exploited

The May 2026 Microsoft Patch Tuesday shipped 69 updates (KB articles) fixing 141 CVEs, 15 of them rated Critical severity. 1 was already being exploited in the wild (on the CISA KEV list) and needed patching first.

April 2026153 CVEs fixed2 exploited

The April 2026 Microsoft Patch Tuesday shipped 53 updates (KB articles) fixing 153 CVEs, 10 of them rated Critical severity. 2 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

March 202661 CVEs fixed

The March 2026 Microsoft Patch Tuesday shipped 38 updates (KB articles) fixing 61 CVEs, 0 of them rated Critical severity. None from this release were on the CISA KEV exploited list at the time.

February 202639 CVEs fixed5 exploited

The February 2026 Microsoft Patch Tuesday shipped 29 updates (KB articles) fixing 39 CVEs, 0 of them rated Critical severity. 5 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

January 2026109 CVEs fixed3 exploited

The January 2026 Microsoft Patch Tuesday shipped 27 updates (KB articles) fixing 109 CVEs, 11 of them rated Critical severity. 3 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

December 2025224 CVEs fixed6 exploited

The December 2025 Microsoft Patch Tuesday shipped 55 updates (KB articles) fixing 224 CVEs, 21 of them rated Critical severity. 6 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

November 202511 CVEs fixed

The November 2025 Microsoft Patch Tuesday shipped 16 updates (KB articles) fixing 11 CVEs, 0 of them rated Critical severity. None from this release were on the CISA KEV exploited list at the time.

October 2025139 CVEs fixed4 exploited

The October 2025 Microsoft Patch Tuesday shipped 57 updates (KB articles) fixing 139 CVEs, 11 of them rated Critical severity. 4 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

September 202561 CVEs fixed

The September 2025 Microsoft Patch Tuesday shipped 30 updates (KB articles) fixing 61 CVEs, 0 of them rated Critical severity. None from this release were on the CISA KEV exploited list at the time.

August 2025243 CVEs fixed5 exploited

The August 2025 Microsoft Patch Tuesday shipped 67 updates (KB articles) fixing 243 CVEs, 28 of them rated Critical severity. 5 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

July 202564 CVEs fixed5 exploited

The July 2025 Microsoft Patch Tuesday shipped 37 updates (KB articles) fixing 64 CVEs, 5 of them rated Critical severity. 5 were already being exploited in the wild (on the CISA KEV list) and needed patching first. 3 were linked to ransomware activity.

June 202599 CVEs fixed7 exploited

The June 2025 Microsoft Patch Tuesday shipped 31 updates (KB articles) fixing 99 CVEs, 0 of them rated Critical severity. 7 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

May 202540 CVEs fixed4 exploited

The May 2025 Microsoft Patch Tuesday shipped 18 updates (KB articles) fixing 40 CVEs, 0 of them rated Critical severity. 4 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

April 2025110 CVEs fixed1 exploited

The April 2025 Microsoft Patch Tuesday shipped 35 updates (KB articles) fixing 110 CVEs, 0 of them rated Critical severity. 1 was already being exploited in the wild (on the CISA KEV list) and needed patching first. 1 was linked to ransomware activity.

March 202586 CVEs fixed9 exploited

The March 2025 Microsoft Patch Tuesday shipped 33 updates (KB articles) fixing 86 CVEs, 0 of them rated Critical severity. 9 were already being exploited in the wild (on the CISA KEV list) and needed patching first. 1 was linked to ransomware activity.

February 202545 CVEs fixed2 exploited

The February 2025 Microsoft Patch Tuesday shipped 17 updates (KB articles) fixing 45 CVEs, 0 of them rated Critical severity. 2 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

January 2025149 CVEs fixed3 exploited

The January 2025 Microsoft Patch Tuesday shipped 44 updates (KB articles) fixing 149 CVEs, 14 of them rated Critical severity. 3 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

December 202470 CVEs fixed1 exploited

The December 2024 Microsoft Patch Tuesday shipped 27 updates (KB articles) fixing 70 CVEs, 16 of them rated Critical severity. 1 was already being exploited in the wild (on the CISA KEV list) and needed patching first.

November 202482 CVEs fixed2 exploited

The November 2024 Microsoft Patch Tuesday shipped 34 updates (KB articles) fixing 82 CVEs, 9 of them rated Critical severity. 2 were already being exploited in the wild (on the CISA KEV list) and needed patching first. 1 was linked to ransomware activity.

October 2024105 CVEs fixed3 exploited

The October 2024 Microsoft Patch Tuesday shipped 43 updates (KB articles) fixing 105 CVEs, 11 of them rated Critical severity. 3 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

September 2024166 CVEs fixed6 exploited

The September 2024 Microsoft Patch Tuesday shipped 45 updates (KB articles) fixing 166 CVEs, 5 of them rated Critical severity. 6 were already being exploited in the wild (on the CISA KEV list) and needed patching first.

August 2024190 CVEs fixed10 exploited

The August 2024 Microsoft Patch Tuesday shipped 49 updates (KB articles) fixing 190 CVEs, 35 of them rated Critical severity. 10 were already being exploited in the wild (on the CISA KEV list) and needed patching first. 1 was linked to ransomware activity.

July 202450 CVEs fixed2 exploited

The July 2024 Microsoft Patch Tuesday shipped 32 updates (KB articles) fixing 50 CVEs, 0 of them rated Critical severity. 2 were already being exploited in the wild (on the CISA KEV list) and needed patching first. 1 was linked to ransomware activity.

June 202423 CVEs fixed1 exploited

The June 2024 Microsoft Patch Tuesday shipped 16 updates (KB articles) fixing 23 CVEs, 4 of them rated Critical severity. 1 was already being exploited in the wild (on the CISA KEV list) and needed patching first.

Trusted Patch Tuesday resources

The analyses the security community reads each month. Cross-reference these with the ranked view above.

Microsoft Security Update GuideThe authoritative source: every CVE Microsoft fixed this month, affected products, and KBs.
CISA Known Exploited VulnerabilitiesThe U.S. catalog of CVEs confirmed exploited in the wild. Patch these first.
Zero Day Initiative: Security Update ReviewIn-depth monthly analysis from the researchers behind Pwn2Own.
Tenable Patch Tuesday analysisMonthly breakdowns of the CVEs that matter and why.
Rapid7 Patch TuesdayPatch Tuesday roundups with exploitation and attacker context.
Qualys Threat ResearchPatch Tuesday roundups and prioritization guidance.
SANS Internet Storm CenterCommunity Patch Tuesday dashboard and per-CVE detail.
Krebs on SecurityPlain-English monthly Patch Tuesday coverage.
BleepingComputerNews coverage of each Patch Tuesday and emerging exploits.

Frequently asked questions

What is Patch Tuesday?

Patch Tuesday is the second Tuesday of each month, when Microsoft releases its scheduled security updates across Windows, Office, Exchange, SharePoint, and the rest of the Microsoft 365, Intune, Defender, and Entra ID stack. Out-of-band updates ship between Patch Tuesdays when a fix cannot wait, and this page covers both. Senserva ranks each release by what attackers are actually exploiting, ties every CVE to the KB that fixes it, and, in your own tenant, tells you which of these updates are actually missing on your devices.

When is the next Patch Tuesday?

The next Microsoft Patch Tuesday is July 14, 2026. It falls on the second Tuesday of every month; upcoming dates are listed on this page.

What was in the latest Patch Tuesday?

The June 2026 release included 33 updates (KBs) fixing 244 CVEs, of which 1 are actively exploited (CISA KEV). The exploited CVEs, the highest-risk CVEs, and the full history are on this page.

Which Patch Tuesday updates should I install first?

Install the actively-exploited (CISA KEV) fixes first, then the highest EPSS and CVSS ones, then the rest. This page ranks every release that way, and Senserva applies the same order to the updates actually missing on your own devices.

What is a zero-day on Patch Tuesday?

A zero-day is a vulnerability already being exploited (or publicly disclosed) before a patch was available. Those are the CVEs to patch immediately; this page calls out the actively-exploited ones each month.

How often is this page updated?

Automatically, every day. The data refreshes from Microsoft MSRC, CISA KEV, and FIRST.org EPSS, and the month-by-month history is preserved so the archive only grows.

Is this Patch Tuesday tracker free?

Yes, free with no sign-in. Running Senserva adds the part a public page cannot: which of these updates are actually missing on your devices, ranked, with an approve-before-apply fix.

About the author

Mark Shavlik

Founder and CEO, Senserva

Mark Shavlik founded Senserva and, earlier, Shavlik Technologies, a pioneer of Windows patch management whose patching technology still keeps millions of computers up to date today. An early Microsoft engineer, he has spent decades keeping Microsoft environments patched and secure.

LinkedIn

Scan your own tenant free