Oh boy, oh boy, oh boy! We’re two weeks into June 2026, which means it’s time for another Patch Tuesday recap.
Did you also know that today is National Donald Duck Day? Seems fitting that the Disney character that most sysadmins can relate to (perpetually frustrated, often unlucky, overworked, prone to fits of rage, occasionally missing pants) is celebrated on a Patch Tuesday! Grab your pants, and let’s dive into the patch notes.
Severity
Total exploits patched: 198
Critical patches: 32
Important: 166
Moderate: 0
Low: 0
Vulnerability impact
Remote code execution: 54
Elevation of privilege: 63
Information disclosure: 26
Spoofing: 27
Tampering: 3
Denial of service: 7
Feature bypass: 18
Availability
Publicly disclosed: 3
Actively exploited: 0
Some highlights (or lowlights)
CVE-2026-26142, 44815, 45657, 47291, 47643: This month's headliners are five CVEs all sitting at a 9.8 CVSS score, all rated as remote code execution vulnerabilities, and all just waiting to ruin your day. I’m calling this group The Party of Five. I haven’t seen the show, but the name fits. The targets span HTTP.sys, the Windows Kernel, the DHCP Client Service, Azure Stack Edge, and Nuance PowerScribe. None are publicly known or actively exploited yet, but with network-accessible attack vectors, low complexity, and no user interaction required across the board, these are the ones to prioritize first.
CVE-2026-42985 (and friends): Remote Desktop Client gets 11 RCE CVEs this month, which is a lot of attention for one component. I’m calling this group the Redmond Football Club.
Three of the CVEs are rated an 8.8, the rest are all 7.5. The exploit pattern is consistent across the group: Connect a vulnerable RDP client to a malicious server, and an attacker gets remote code execution on your device. None are exploited yet, but 11 CVEs in one component in one month is definitely worth keeping an eye on.CVE-2026-50507: For our last highlight, we have three CVEs impacting BitLocker this month. What’s interesting is that all three of these CVEs were given a different rating, but CVE-2026-50507 isn’t even the highest rated of the three, even though it’s the one that’s publicly disclosed. Seems odd, but again, I don’t give the scores; I just report them.
While these aren’t the scariest CVEs this month, obviously, BitLocker is there to keep your data safe if your device falls into the wrong hands. So if your users have a history of “misplacing” their laptop, these patches all of a sudden become a big deal.
Wrapping up
That wraps up our Patch Tuesday coverage for this month. Happy Donald Duck Day to all my fellow sysadmins out there. We're overworked, underappreciated, and one faulty patch away from a meltdown, but we keep the lights on anyway. Maybe system administration isn’t all it’s quacked up to be, but could you imagine the absolute chaos that would ensue if we let normal users touch our precious systems?
If you find yourself needing a well-deserved break this Patch Tuesday, check out PDQ Connect. It can automate your Windows and third-party patching needs in minutes. Just imagine not having to worry about a new Chrome update every other day that ends in Y.
