June 2026 Top Common Vulnerabilities and Exposures Recap

June 2026 delivered hundreds of high-scoring patches, with Microsoft alone shipping close to 200-210 CVEs (depending on which vendor’s count you follow), Adobe patching 123 flaws, and Chrome/Edge fixing over 500 issues between them. Analysts widely attributed the surge to accelerated AI-assisted vulnerability discovery research on both the offensive and defensive sides. Below are ten of the month’s most significant CVEs, spanning zero-days, actively exploited flaws, and maximum-severity bugs across the enterprise stack.
1. CVE-2026-50507 — Windows BitLocker Security Feature Bypass (“YellowKey”)
Link: https://www.cve.org/CVERecord?id=CVE-2026-50507
A publicly disclosed zero-day affecting BitLocker, nicknamed “YellowKey” by the researcher who released proof-of-concept code in May. It carries a CVSS score of 6.8 and requires physical access to exploit, but Microsoft flagged it as “Exploitation More Likely.” A second related BitLocker bypass, CVE-2026-45585, forced baseline updates for hotpatch-enrolled Windows 11 Enterprise systems this month.
2. CVE-2026-49160 — Windows HTTP Protocol Stack Denial of Service
Link: https://www.cve.org/CVERecord?id=CVE-2026-49160
A CVSS 7.8 denial-of-service zero-day in the Windows HTTP Protocol Stack, used by numerous core Windows services. Notably, Microsoft credited OpenAI’s Codex with reporting this vulnerability, making it one of the first widely publicized examples of an AI coding tool surfacing a real-world Windows zero-day.
3. CVE-2026-45586 — CTFMON Elevation of Privilege
Link: https://www.cve.org/CVERecord?id=CVE-2026-45586
One of three zero-days disclosed in Microsoft’s June release, this privilege escalation flaw in CTFMON (the Windows text input/IME service) was publicly disclosed by the researcher known as Nightmare Eclipse before a patch was available.
4. CVE-2026-42897 — Microsoft Exchange Server Remote Code Execution
Link: https://www.cve.org/CVERecord?id=CVE-2026-42897
Originally disclosed in May, this Exchange Server RCE flaw was confirmed under active exploitation in the wild going into June. Organizations that hadn’t yet patched Exchange were urged to prioritize it immediately alongside the June cumulative update.
5. CVE-2026-47288 — Active Directory Kerberos Remote Code Execution
Link: https://www.cve.org/CVERecord?id=CVE-2026-47288
A critical RCE affecting the core Kerberos authentication component of Active Directory. Given Kerberos’s central role in domain authentication, this vulnerability drew particular attention from enterprises running on-premises Active Directory infrastructure.
6. CVE-2026-45648 — Active Directory Domain Services Vulnerability
Link: https://www.cve.org/CVERecord?id=CVE-2026-45648
Rated CVSS 8.8, this flaw affects Active Directory Domain Services (AD DS) and was called out alongside the Kerberos RCE above as a high-priority patch for any organization running on-prem domain controllers.
7. CVE-2026-48567 — Azure HorizonDB Elevation of Privilege
Link: https://www.cve.org/CVERecord?id=CVE-2026-48567
A maximum-severity CVSS 10.0 elevation-of-privilege flaw in Azure HorizonDB. Microsoft had already remediated this on the service side before publishing the advisory, so it’s documented for transparency rather than requiring customer action — but its perfect severity score made it one of the month’s most eye-catching entries.
8. CVE-2026-27671 — SAP NetWeaver ABAP Memory Corruption
Link: https://www.cve.org/CVERecord?id=CVE-2026-27671
A CVSS 9.8 memory corruption vulnerability in SAP Application Server ABAP and the ABAP Platform, part of SAP’s June Security Patch Day haul of 15 fixes. It requires no authentication and can affect confidentiality, integrity, and availability simultaneously, making it one of the most severe enterprise vulnerabilities of the month.
9. CVE-2026-11645 — Google Chrome Zero-Day
Link: https://www.cve.org/CVERecord?id=CVE-2026-11645
A zero-day exploit patched in a Chrome update that resolved 74 CVEs, coming on the heels of an even larger Chrome release earlier in June that fixed 429 issues. Microsoft Edge, built on Chromium, required the same fix, making browser patching a top priority across the industry this month.
10. CVE-2026-41091 — Microsoft Defender Elevation of Privilege (“RedSun”)
Link: https://www.cve.org/CVERecord?id=CVE-2026-41091
An actively exploited, weaponized, and publicly known EoP vulnerability in Microsoft Defender, tracked under the name “RedSun.” An unprivileged attacker can trick Defender into writing a malicious file back to a privileged location, gaining SYSTEM-level access. Its combination of active exploitation and weaponized tooling made it one of the most urgent patches of the month.