Summary
- Microsoft’s June 2026 security updates address 206 vulnerabilities, according to NHS England.
- NHS England says exploitation of CVE-2026-41091 in Microsoft Defender has been detected.
- The update set combines endpoint, kernel, HTTP.sys, BitLocker, and broader Windows estate risk.
Microsoft has released its June 2026 security updates, with NHS England warning that the release addresses 206 vulnerabilities across Microsoft products and includes an exploited Microsoft Defender flaw.
NHS England’s National Cyber Security Operations Centre highlighted five vulnerabilities from the June update set. The most operationally immediate is CVE-2026-41091, a Microsoft Defender privilege escalation vulnerability with a CVSS score of 7.8. NHS England says Microsoft has detected exploitation and assesses future exploitation as highly likely.
The flaw arises from improper link resolution before file access in Microsoft Defender. NVD describes the issue as allowing an authorised attacker to elevate privileges locally. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalogue as Microsoft Defender Link Following Vulnerability.
The June update set is broader than Defender. NHS England also highlights CVE-2026-45657, a Windows Kernel remote code execution vulnerability with a CVSS score of 9.8; CVE-2026-47291, a Windows HTTP.sys remote code execution vulnerability also scored at 9.8; and BitLocker security feature bypass vulnerabilities tracked as CVE-2026-45585 and CVE-2026-50507.
Microsoft’s own Security Update Guide is the definitive vendor reference, while NHS England’s alert brings the release into a UK health and care context. The NVD entry for CVE-2026-41091 confirms the Defender vulnerability description, CVSS score, affected Malware Protection Engine range, and CISA KEV status.
The release lands across a Windows estate that remains foundational for much of the UK and European public and private sector. When update sets include exploited endpoint-protection flaws, remote code execution in core Windows components, and security bypass issues affecting disk protection, patching becomes an operational discipline test.
Defender creates an awkward risk profile. Endpoint protection forms part of the defensive control layer. A vulnerability in that layer can weaken assumptions about what is trusted, what is monitored, and what can be used safely during response. Local privilege escalation does require some level of access, but many intrusions begin with exactly that foothold: a phished user, stolen credential, exposed remote access path, or compromised endpoint.
The inclusion of critical Windows Kernel and HTTP.sys remote code execution vulnerabilities also broadens the exposure picture. Organisations need to distinguish between internet-reachable systems, internal servers, endpoints, and systems where patching requires extended testing. The most visible patch dashboards can hide the systems most likely to cause business disruption if they fail.
The BitLocker bypass issues add a different governance dimension. Disk encryption is often treated as a settled compliance control, especially for mobile workforces and regulated data. A security feature bypass does not automatically mean encrypted data is exposed across the estate, but it does require organisations to reassess device risk, travel risk, lost-device assumptions, and mitigations such as TPM plus PIN where relevant.
NHS and other regulated environments need prioritisation rather than blanket urgency. The release covers too many vulnerabilities for every system to be treated identically. Exploited vulnerabilities, internet-reachable services, identity-adjacent infrastructure, privileged administration workstations, and systems supporting clinical or operational continuity should sit at the front of the queue.
Patch management is often reported as a technical metric, yet the consequences of failure sit with service owners. Where a security update touches endpoint defence, remote code execution, recovery controls, and core operating system functions at once, the decision is not only whether IT can apply patches. It is whether the organisation knows which systems carry the most operational risk.





