GovCERT.HK - High Threat Security Alert (A26-06-18): Multiple Vulnerabilities in Microsoft Products (June 2026)

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components. The list of security updates can be found at:
https://msrc.microsoft.com/update-guide/releaseNote/2026-Jun

Reports indicated that the proof-of-concept (PoC) exploit code for a security restriction bypass vulnerability (CVE-2026-45585, known as "YellowKey") is publicly available and it is at high risk of exploitation. System administrators are advised to follow the recommendations provided by the vendors to mitigate the elevated risk of cyber attacks.

Affected Systems:

Microsoft Edge prior to version 149.0.4022.53
Windows 10, 11, 11 version 24H2, 25H2, 26H1
Windows App Client
Windows Narrator Braille
Windows Server 2004, 2012, 2012 R2, 2016, 2019, 2022, 2025
Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, LTSC for Mac 2021, LTSC for Mac 2024, Office 365 for Mac
Office Online Server
Microsoft Word, Excel 2016
Microsoft Word, Excel, PowerPoint for Android
Microsoft 365 Apps for Enterprise
Microsoft Exchange Server 2016, 2019, Subscription Edition RTM
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2019, Subscription Edition
Microsoft Visual Studio 2026
Microsoft Visual Studio Code CoPilot Chat Extension
.NET 8.0, 9.0, 10.0 installed on Linux, Mac OS and Windows
ASP.NET Core 8.0, 9.0, 10.0
Microsoft Bing Search for Android
Microsoft Teams
Visual Studio Code
Linux kernel - Microsoft MANA Network Driver
Microsoft Defender for Endpoint for Mac
Microsoft Dynamics 365
Microsoft Live Share Canvas SDK
Microsoft PC Manager
Microsoft PowerToys
Nuance PowerScribe 360 4.0
Nuance PowerScribe One 2019.1-2019.10
PowerScribe One 2023.1 SP2 Patch 11, 2023.1 SP3 Patch 6
Remote Desktop client

For detailed information of the affected systems, please refer to the corresponding security advisories at vendor's website.

Impact:

Depending on the vulnerabilities exploited, a successful attack could lead to remote code execution, denial of service, elevation of privilege, information disclosure, security restriction bypass, spoofing or tampering on an affected system.

Recommendation:

Patches for affected products are available from the Windows Update / Microsoft Update Catalog. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

https://msrc.microsoft.com/update-guide/releaseNote/2026-Jun
https://www.hkcert.org/security-bulletin/microsoft-monthly-security-update-june-2026
https://www.hkcert.org/security-bulletin/microsoft-edge-multiple-vulnerabilities_20260610
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8863
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-10883
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-10892
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-10923
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-10929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-10934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-10953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-10959
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-10967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-10984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11007
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11029
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11034 (to CVE-2026-11035)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11064 (to CVE-2026-11065)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11145
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11148
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11163
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11172
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11226
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11270
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11278
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11287
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11290 (to CVE-2026-11291)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11295
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-11297
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26142
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33113
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33828
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34335
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40371
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40376
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42828 (to CVE-2026-42829)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42835 (to CVE-2026-42837)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42902 (to CVE-2026-42916)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42968 (to CVE-2026-42974)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42977 (to CVE-2026-42981)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42983 (to CVE-2026-42987)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42989
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42991 (to CVE-2026-42993)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44801 (to CVE-2026-44805)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44807 (to CVE-2026-44815)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44817 (to CVE-2026-44824)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45453 (to CVE-2026-45469)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45471 (to CVE-2026-45472)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45474 (to CVE-2026-45476)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45481 (to CVE-2026-45487)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45490 (to CVE-2026-45491)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45500 (to CVE-2026-45504)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45583
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45585 (to CVE-2026-45586)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45588
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45591 (to CVE-2026-45608)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45634 (to CVE-2026-45645)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45647 (to CVE-2026-45650)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-45653 (to CVE-2026-45658)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-47281
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-47284
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-47287 (to CVE-2026-47289)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-47291 (to CVE-2026-47293)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-47298
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-47631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-47634 (to CVE-2026-47641)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-47648
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-47652 (to CVE-2026-47654)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-47656
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48562 (to CVE-2026-48563)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48565 (to CVE-2026-48566)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48568 (to CVE-2026-48570)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48573 (to CVE-2026-48576)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48578
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48583
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-49160 (to CVE-2026-49161)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50507 (to CVE-2026-50508)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50511 (to CVE-2026-50512)

Tag: Microsoft , Edge , Windows , Windows Server , Microsoft Office , Office Online Server , Word , Excel , PowerPoint , Microsoft 365 Apps , Microsoft Exchange Server , SharePoint , Visual Studio , .NET , Microsoft Bing Search , Microsoft Teams , Visual Studio Code , Microsoft MANA Network Driver , Microsoft Defender , Dynamics 365 , Microsoft Live Share Canvas , PC Manager , PowerToys , PowerScribe , Remote Desktop