Microsoft Patch Tuesday June 2026 — Copilot CVEs + AI Component Flaws

AI relevance: Microsoft's June 2026 Patch Tuesday (208 CVEs) includes the first batch of AI-stack vulnerabilities rated Critical — M365 Copilot RCE (CVSS 7.7), Copilot Chat info-disclosure, and Exchange Online data leaks — signaling that Copilot is now a core attack surface, not an add-on.

What happened

• CVE-2026-47644 — Copilot Chat (Microsoft Edge): Critical information-disclosure via improper neutralization of special elements in output. An attacker can extract data processed by Copilot Chat through crafted prompt output.
• CVE-2026-45497 — M365 Copilot: Critical remote code execution (CVSS 7.7) in the Copilot agentic pipeline. This is a command-injection-class flaw in how Copilot handles tool execution.
• CVE-2026-42824 — M365 Copilot: Critical information-disclosure (CVSS 6.5) exposing tenant data through Copilot responses.
• CVE-2026-48579 — Exchange Online: Critical info-disclosure (CVSS 9.1) — a high-severity breach path for organizations using Copilot with Exchange integration.
• CVE-2026-32193 — Azure Kubernetes Service: Critical RCE (CVSS 8.8) — directly relevant to teams running self-hosted LLM inference or agent workloads on AKS.
• CVE-2026-49160 — HTTP.sys DoS: Actively exploited, discovered using LLM-assisted vulnerability research methods per Infosecurity Magazine.
• CVE-2026-41091 — Microsoft Defender EoP: Actively exploited in the wild (CVSS 7.8).

Why it matters

This is the first Patch Tuesday where Microsoft published multiple Critical-rated Copilot-specific CVEs alongside the main bulletin, reflecting that Copilot's agentic tool execution surface — not just its chat interface — is now a production attack vector. The combination of RCE and info-disclosure in the same product family means an attacker who triggers the RCE can also harvest tenant context through the disclosure flaw.

What to do

• Patch immediately — multiple Critical Copilot CVEs are in this cycle
• Audit M365 Copilot connector permissions; restrict Copilot access to sensitive SharePoint/Exchange content until CVE-2026-42824 is confirmed patched in your tenant
• Review AKS clusters running model-serving workloads for CVE-2026-32193 exposure
• Ensure HTTP.sys and Defender patches are prioritized — both have known exploitation

Sources

• Cisco Talos — June 2026 Patch Tuesday
• ZDI — June 2026 Security Update Review
• BleepingComputer — Microsoft June 2026 Patch Tuesday
• Qualys — June 2026 Review