Microsoft Patches 206 Vulnerabilities Including 3 Critical Zero‑Days Affecting Windows Kernel, Network Stack, and HTTP.sys
What Happened — Microsoft released its June 2026 Patch Tuesday update, fixing 206 security flaws across Windows client, server, and Azure services. The bundle contains three critical zero‑day vulnerabilities with CVSS scores up to 9.8, targeting the kernel, networking stack, and the HTTP.sys driver.
Why It Matters for TPRM —
- Unpatched endpoints can be remotely compromised, exposing data that third‑party vendors process on behalf of their customers.
- Zero‑day exploits bypass traditional defenses, raising the likelihood of a breach that propagates through supply‑chain relationships.
- The wide‑ranging impact on core OS components means many SaaS, cloud, and on‑premises environments inherit the same risk.
Who Is Affected — Organizations of all sizes that run Windows 10/11, Windows Server, Azure Virtual Machines, or rely on Microsoft‑hosted services (e.g., Office 365, Dynamics 365).
Recommended Actions — Deploy the June 2026 patches immediately via WSUS, SCCM, or Intune; verify successful installation; re‑scan for the disclosed CVEs; and review patch‑management and compensating‑control processes for any legacy systems that cannot be updated.
Technical Notes — The three zero‑days enable kernel‑mode code execution, remote network‑stack RCE, and HTTP.sys request‑smuggling. CVSS scores range from 9.3 to 9.8. No public exploits were known before the patch release. Source: HackRead