Microsoft's June 2026 Patch Tuesday ships 206 vulnerabilities, 32 of them critical—28 of those critical bugs are remote code execution (RCE) vulnerabilities. That's a 28-bug RCE attack surface spanning Windows Active Directory, Kerberos KDC, Hyper-V, Remote Desktop Client, HTTP Protocol Stack, Office, and Azure Kubernetes Service. Talos, Cisco's threat intelligence arm, is sounding the alarm with a new Snort ruleset covering the most dangerous ones.
206 Vulnerabilities, 28 Critical RCEs — The Scope
Of the 32 critical entries, 28 are remote code execution. The remaining four are privilege escalation, information disclosure, and an authentication bypass in Azure HorizonDB. Microsoft's own assessment rates four of these RCEs as "more likely" to be exploited—these are the ones Talos wants you to patch first. Another 23 critical RCEs are tagged "less likely" but still carry active exploit potential in specific scenarios, like a victim connecting to an attacker-controlled RDP server.
The Four CVEs Talos Says to Treat as Active Threats
CVE-2026-42985 is a heap-based buffer overflow in the Remote Desktop Client. An unauthenticated attacker can execute code over the network—no user interaction required beyond a victim connecting to a malicious RDP server. CVE-2026-47291 hits the Windows HTTP Protocol Stack (http.sys) with an integer overflow or wraparound. Sending a specially crafted packet to a targeted server triggers RCE from an unauthenticated position. CVE-2026-44803 and CVE-2026-44812 are both integer overflows in the Windows Graphics component (Win32K GRFX subsystem). These require local access but allow an attacker to execute code at SYSTEM level once inside.
Windows Kernel, Hyper-V, and Office — Attack Surface Broadens
Talos also flags CVE-2026-45657, a use-after-free in the Windows Kernel that can be triggered remotely by sending malicious TCP/IP network traffic to a vulnerable system. That's a no-sign-in, no-click RCE with system-level privileges—the kind that keeps incident responders awake. Hyper-V has three critical RCE bugs (CVE-2026-45607, CVE-2026-45641, CVE-2026-47652) all stemming from out-of-bounds reads. An authenticated guest VM can send specially crafted file operations to hardware resources and execute code on the host. Three type-confusion bugs in Microsoft Outlook and Word (CVE-2026-45456, CVE-2026-45458, CVE-2026-47635) are exploitable through the Outlook preview pane—classic Office users are at risk just by reading email.
Snort Rules Hit the Street — Block What You Can't Patch
Talos has released Snort 2 rules 66572-66577, 66581, 66589, 66590, 66594, 66595, 66601-66604 and Snort 3 rules 301523-301525, 301527-301529, 301531, 301532 to detect exploitation attempts against these vulnerabilities. Cisco Security Firewall customers should update their SRU immediately. Talos's Snort rules are live now on Snort.org. If you can't patch, block the traffic—these bugs aren't waiting for your next maintenance window.
Source: Microsoft Patch Tuesday for June 2026 - Snort rules and prominent vulnerabilities
Domain: blog.talosintelligence.com
Comments load interactively on the live page.