June 2026 Patch Tuesday forecast: Where are the CVEs?

My forecast from last month was only partly right. After the Anthropic Mythos announcements and the deluge of newly discovered vulnerabilities from vendors like Mozilla, Microsoft’s updates were standard fare, 65 CVEs reported in Windows 11 and 58 in Windows 10.

The Microsoft Office releases were a bit higher with 19 CVEs or so reported for the online versions. Apple did indeed release their OS security updates the day before Patch Tuesday, which garnered some attention, and helped with a combined Windows and macOS set of deployments. The good news, with the exception of a minor Windows 11 problem, is that it all passed normally without a lot of reported issues in the following days.

Microsoft Defender blocks newly exploited RedSun and UnDefend threats

Microsoft only had one major out-of-band release since May Patch Tuesday. A May 21st release addressed CVE-2026-45659, a remote code execution vulnerability in Windows SharePoint Server. Three KBs covered SharePoint Enterprise Server 2016, Server 2019 and Server Subscription Edition. This vulnerability carries a CVSS of 8.8 and is not known to be publicly disclosed or exploited at this point.

The fix will be rolled into the June Patch Tuesday release. The June Patch Tuesday release will contain a fix for the failures and errors when installing KB5089549 for Windows 11. Microsoft acknowledged “this issue occurs on devices that have limited free space on the EFI System Partition (ESP), especially if it has 10 MB or less available.”

Last month I mentioned the Microsoft Defender exploit Bluehammer was fixed with a zero-day update on April Patch Tuesday. Fixes for two additional exploits, RedSun associated with CVE-2026-41091 and UnDefend with CVE-2026-45498, were released and dynamically updated the malware protection engine in Microsoft Defender on May 19th.

There was some controversy surrounding these vulnerabilities because their disclosure was made with proof-of-concept code and they were quickly exploited by threat actors. Regardless, ensure you have Microsoft Defender enabled and that it has updated to the latest version.

Microsoft launches Driver Quality Initiative

Microsoft reported exploitation of CVE-2026-42897, a spoofing vulnerability rated Critical in Microsoft Exchange Server. It carries a CVSS of 8.1. This is a cross-site scripting issue within Outlook Web Access. There is no patch for the vulnerability at this time but per Microsoft, “the Exchange Emergency Mitigation Service will provide mitigation automatically, and is on by default.” Make sure to check your configuration and confirm the service is enabled so you are protected from the known active threats.

This month, Microsoft held their first Windows Hardware Engineering Conference (WinHEC 2026) since 2018. At the conference they introduced the new Driver Quality Initiative project. Per the article, they want to “fundamentally raise the bar on driver quality, reliability and security across Windows.” A positive user experience is based on hardware devices, drivers and software working together smoothly and Microsoft emphasized this requires a partnership between hardware and software vendors.

With this project, Microsoft will be working closely with its partners by providing tools and utilities to raise driver quality. This looks to be an interesting initiative and we’ll have to watch how it evolves and its impact on the user experience.

June 2026 Patch Tuesday forecast

• Expect the standard Microsoft OS, Office and SharePoint updates. Be on the lookout for an Exchange Server update to address the reported exploited vulnerability CVE-2026-42897.
• The Adobe rotation for Creative Cloud Apps updates will most likely contain inCopy, inDesign, Photoshop, and perhaps Acrobat depending on which vulnerabilities have surfaced.
• Apple’s security update on May 11th covered all their operating systems and Safari. Based on their release schedule, we shouldn’t see anything new next week.
• Google Chrome 150 was released into the beta channel this week so we should see the final Desktop version on Patch Tuesday.
• Mozilla released Firefox 151.0.3 this week addressing two vulnerabilities rated High. I expect corresponding Thunderbird, Thunderbird ESR, and Firefox ESR updates either before or on Patch Tuesday. Mozilla has accelerated some of their releases to once a week for the past several weeks.
• Oracle has announced they will be providing security updates on the months between their quarterly Critical Product Updates. The Critical Security Patch Update Advisory, May 2026 was recently announced.

Microsoft didn’t have many new patches to release throughout the month despite a lot of company activity I reported. We’ll have to wait and see if the AI tools discover more issues and if the reported CVEs increase this month.