Microsoft Patch Tuesday: June 2026
Analysis by Mark Shavlik · Updated 2026-07-01
This month is lighter on raw volume, but volume is not the story on Patch Tuesday, exploitation is. At least one fix this release closes a vulnerability already being used in attacks, so that is where every team should start, then work down by EPSS exploit probability and severity. If you have not automated the question of which of these updates you are actually missing, that is the gap that turns a patch list into an incident.
The place to start on Patch Tuesday. Every month Microsoft releases its security updates on the second Tuesday, and this page ranks them by what attackers are actually exploiting, calls out the zero-days by name, and keeps a full history. Next Patch Tuesday: July 14, 2026.
June 2026 at a glance
The trend
Actively exploited this release
These are the June 2026 CVEs already being exploited in the wild (on the CISA KEV list). Patch them first, everywhere.
No CVEs from the June 2026 release are on the CISA KEV list yet. That can change within days of release, so check back, and patch the highest-risk items below in the meantime.
June 2026 breakdown
What Microsoft fixed this release, by impact type and by product. Expand any row for what it means and the CVEs behind it, each linked to its full page.
By impact type
Impact types unavailable.
Most-affected products
No product data.
By the numbers
- 33 updates (KB articles), on the Microsoft Security Update Guide
- 244 CVEs fixed
- 15 Critical-severity updates
- 1 actively exploited (CISA KEV)
- 0 ransomware-linked
Upcoming Patch Tuesday dates
Microsoft ships updates on the second Tuesday of each month. Add them to your calendar in one click.
- July 14, 2026GoogleOutlook.ics
- August 11, 2026GoogleOutlook.ics
- September 8, 2026GoogleOutlook.ics
- October 13, 2026GoogleOutlook.ics
- November 10, 2026GoogleOutlook.ics
- December 8, 2026GoogleOutlook.ics
- January 12, 2027GoogleOutlook.ics
- February 9, 2027GoogleOutlook.ics
- March 9, 2027GoogleOutlook.ics
- April 13, 2027GoogleOutlook.ics
- May 11, 2027GoogleOutlook.ics
- June 8, 2027GoogleOutlook.ics
How to prioritize on Patch Tuesday
- Exploited first. Anything on CISA KEV is being used in attacks now. Patch it before anything else.
- Then high exploit-probability. Sort the rest by FIRST.org EPSS, the chance a CVE is exploited soon.
- Then Critical severity. Remote code execution on internet-facing systems comes next.
- Match it to your estate. A CVE only matters if you run the affected product. Senserva ranks these against the updates actually missing on your own devices.
Patch Tuesday history
Every month since we started tracking, newest first. Tracking 25 releases, 935 updates and 83 actively-exploited CVEs in total.
| Month | Updates | CVEs | Exploited | Ransomware | Critical |
|---|---|---|---|---|---|
| June 2026 | 33 | 244 | 1 | 0 | 15 |
| May 2026 | 69 | 141 | 1 | 0 | 15 |
| April 2026 | 53 | 153 | 2 | 0 | 10 |
| March 2026 | 38 | 61 | 0 | 0 | 0 |
| February 2026 | 29 | 39 | 5 | 0 | 0 |
| January 2026 | 27 | 109 | 3 | 0 | 11 |
| December 2025 | 55 | 224 | 6 | 0 | 21 |
| November 2025 | 16 | 11 | 0 | 0 | 0 |
| October 2025 | 57 | 139 | 4 | 0 | 11 |
| September 2025 | 30 | 61 | 0 | 0 | 0 |
| August 2025 | 67 | 243 | 5 | 0 | 28 |
| July 2025 | 37 | 64 | 5 | 3 | 5 |
| June 2025 | 31 | 99 | 7 | 0 | 0 |
| May 2025 | 18 | 40 | 4 | 0 | 0 |
| April 2025 | 35 | 110 | 1 | 1 | 0 |
| March 2025 | 33 | 86 | 9 | 1 | 0 |
| February 2025 | 17 | 45 | 2 | 0 | 0 |
| January 2025 | 44 | 149 | 3 | 0 | 14 |
| December 2024 | 27 | 70 | 1 | 0 | 16 |
| November 2024 | 34 | 82 | 2 | 1 | 9 |
| October 2024 | 43 | 105 | 3 | 0 | 11 |
| September 2024 | 45 | 166 | 6 | 0 | 5 |
| August 2024 | 49 | 190 | 10 | 1 | 35 |
| July 2024 | 32 | 50 | 2 | 1 | 0 |
| June 2024 | 16 | 23 | 1 | 0 | 4 |
Month-by-month recap
Expand any month for a plain-English summary of that Patch Tuesday.
June 2026244 CVEs fixed1 exploited
The June 2026 Microsoft Patch Tuesday shipped 33 updates (KB articles) fixing 244 CVEs, 15 of them rated Critical severity. 1 was already being exploited in the wild (on the CISA KEV list) and needed patching first.
May 2026141 CVEs fixed1 exploited
The May 2026 Microsoft Patch Tuesday shipped 69 updates (KB articles) fixing 141 CVEs, 15 of them rated Critical severity. 1 was already being exploited in the wild (on the CISA KEV list) and needed patching first.
April 2026153 CVEs fixed2 exploited
The April 2026 Microsoft Patch Tuesday shipped 53 updates (KB articles) fixing 153 CVEs, 10 of them rated Critical severity. 2 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
March 202661 CVEs fixed
The March 2026 Microsoft Patch Tuesday shipped 38 updates (KB articles) fixing 61 CVEs, 0 of them rated Critical severity. None from this release were on the CISA KEV exploited list at the time.
February 202639 CVEs fixed5 exploited
The February 2026 Microsoft Patch Tuesday shipped 29 updates (KB articles) fixing 39 CVEs, 0 of them rated Critical severity. 5 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
January 2026109 CVEs fixed3 exploited
The January 2026 Microsoft Patch Tuesday shipped 27 updates (KB articles) fixing 109 CVEs, 11 of them rated Critical severity. 3 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
December 2025224 CVEs fixed6 exploited
The December 2025 Microsoft Patch Tuesday shipped 55 updates (KB articles) fixing 224 CVEs, 21 of them rated Critical severity. 6 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
November 202511 CVEs fixed
The November 2025 Microsoft Patch Tuesday shipped 16 updates (KB articles) fixing 11 CVEs, 0 of them rated Critical severity. None from this release were on the CISA KEV exploited list at the time.
October 2025139 CVEs fixed4 exploited
The October 2025 Microsoft Patch Tuesday shipped 57 updates (KB articles) fixing 139 CVEs, 11 of them rated Critical severity. 4 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
September 202561 CVEs fixed
The September 2025 Microsoft Patch Tuesday shipped 30 updates (KB articles) fixing 61 CVEs, 0 of them rated Critical severity. None from this release were on the CISA KEV exploited list at the time.
August 2025243 CVEs fixed5 exploited
The August 2025 Microsoft Patch Tuesday shipped 67 updates (KB articles) fixing 243 CVEs, 28 of them rated Critical severity. 5 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
July 202564 CVEs fixed5 exploited
The July 2025 Microsoft Patch Tuesday shipped 37 updates (KB articles) fixing 64 CVEs, 5 of them rated Critical severity. 5 were already being exploited in the wild (on the CISA KEV list) and needed patching first. 3 were linked to ransomware activity.
June 202599 CVEs fixed7 exploited
The June 2025 Microsoft Patch Tuesday shipped 31 updates (KB articles) fixing 99 CVEs, 0 of them rated Critical severity. 7 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
May 202540 CVEs fixed4 exploited
The May 2025 Microsoft Patch Tuesday shipped 18 updates (KB articles) fixing 40 CVEs, 0 of them rated Critical severity. 4 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
April 2025110 CVEs fixed1 exploited
The April 2025 Microsoft Patch Tuesday shipped 35 updates (KB articles) fixing 110 CVEs, 0 of them rated Critical severity. 1 was already being exploited in the wild (on the CISA KEV list) and needed patching first. 1 was linked to ransomware activity.
March 202586 CVEs fixed9 exploited
The March 2025 Microsoft Patch Tuesday shipped 33 updates (KB articles) fixing 86 CVEs, 0 of them rated Critical severity. 9 were already being exploited in the wild (on the CISA KEV list) and needed patching first. 1 was linked to ransomware activity.
February 202545 CVEs fixed2 exploited
The February 2025 Microsoft Patch Tuesday shipped 17 updates (KB articles) fixing 45 CVEs, 0 of them rated Critical severity. 2 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
January 2025149 CVEs fixed3 exploited
The January 2025 Microsoft Patch Tuesday shipped 44 updates (KB articles) fixing 149 CVEs, 14 of them rated Critical severity. 3 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
December 202470 CVEs fixed1 exploited
The December 2024 Microsoft Patch Tuesday shipped 27 updates (KB articles) fixing 70 CVEs, 16 of them rated Critical severity. 1 was already being exploited in the wild (on the CISA KEV list) and needed patching first.
November 202482 CVEs fixed2 exploited
The November 2024 Microsoft Patch Tuesday shipped 34 updates (KB articles) fixing 82 CVEs, 9 of them rated Critical severity. 2 were already being exploited in the wild (on the CISA KEV list) and needed patching first. 1 was linked to ransomware activity.
October 2024105 CVEs fixed3 exploited
The October 2024 Microsoft Patch Tuesday shipped 43 updates (KB articles) fixing 105 CVEs, 11 of them rated Critical severity. 3 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
September 2024166 CVEs fixed6 exploited
The September 2024 Microsoft Patch Tuesday shipped 45 updates (KB articles) fixing 166 CVEs, 5 of them rated Critical severity. 6 were already being exploited in the wild (on the CISA KEV list) and needed patching first.
August 2024190 CVEs fixed10 exploited
The August 2024 Microsoft Patch Tuesday shipped 49 updates (KB articles) fixing 190 CVEs, 35 of them rated Critical severity. 10 were already being exploited in the wild (on the CISA KEV list) and needed patching first. 1 was linked to ransomware activity.
July 202450 CVEs fixed2 exploited
The July 2024 Microsoft Patch Tuesday shipped 32 updates (KB articles) fixing 50 CVEs, 0 of them rated Critical severity. 2 were already being exploited in the wild (on the CISA KEV list) and needed patching first. 1 was linked to ransomware activity.
June 202423 CVEs fixed1 exploited
The June 2024 Microsoft Patch Tuesday shipped 16 updates (KB articles) fixing 23 CVEs, 4 of them rated Critical severity. 1 was already being exploited in the wild (on the CISA KEV list) and needed patching first.
Trusted Patch Tuesday resources
The analyses the security community reads each month. Cross-reference these with the ranked view above.
Frequently asked questions
What is Patch Tuesday?
Patch Tuesday is the second Tuesday of each month, when Microsoft releases its scheduled security updates across Windows, Office, Exchange, SharePoint, and the rest of the Microsoft 365, Intune, Defender, and Entra ID stack. Out-of-band updates ship between Patch Tuesdays when a fix cannot wait, and this page covers both. Senserva ranks each release by what attackers are actually exploiting, ties every CVE to the KB that fixes it, and, in your own tenant, tells you which of these updates are actually missing on your devices.
When is the next Patch Tuesday?
The next Microsoft Patch Tuesday is July 14, 2026. It falls on the second Tuesday of every month; upcoming dates are listed on this page.
What was in the latest Patch Tuesday?
The June 2026 release included 33 updates (KBs) fixing 244 CVEs, of which 1 are actively exploited (CISA KEV). The exploited CVEs, the highest-risk CVEs, and the full history are on this page.
Which Patch Tuesday updates should I install first?
Install the actively-exploited (CISA KEV) fixes first, then the highest EPSS and CVSS ones, then the rest. This page ranks every release that way, and Senserva applies the same order to the updates actually missing on your own devices.
What is a zero-day on Patch Tuesday?
A zero-day is a vulnerability already being exploited (or publicly disclosed) before a patch was available. Those are the CVEs to patch immediately; this page calls out the actively-exploited ones each month.
How often is this page updated?
Automatically, every day. The data refreshes from Microsoft MSRC, CISA KEV, and FIRST.org EPSS, and the month-by-month history is preserved so the archive only grows.
Is this Patch Tuesday tracker free?
Yes, free with no sign-in. Running Senserva adds the part a public page cannot: which of these updates are actually missing on your devices, ranked, with an approve-before-apply fix.
About the author
Mark Shavlik
Mark Shavlik founded Senserva and, earlier, Shavlik Technologies, a pioneer of Windows patch management whose patching technology still keeps millions of computers up to date today. An early Microsoft engineer, he has spent decades keeping Microsoft environments patched and secure.