Article
Mid-cycle update: the Security Update Guide
Patch Tuesday gets the headlines. But Microsoft’s Security Update Guide doesn’t go quiet for the other three weeks of the month — it keeps moving, publishing new CVEs and revising old ones between cycles. Here’s what changed between May Patch Tuesday (12 May) and the run-up to June’s (9 June), and the short list worth acting on before then.
291 CVEs, and why that number lies
Since 12 May, 291 CVEs were published or revised in the Security Update Guide. That sounds like a fire drill. It isn’t. Strip it down:
- 268 are Edge / Chromium republishes — the routine browser stream Microsoft mirrors from upstream. Your standing browser-update process already covers them.
- 13 are cloud services — Azure, Entra, Copilot, Power Pages, Microsoft 365. Microsoft fixes these in its own fabric; the entry is a disclosure, not a package you deploy.
- 10 are on-prem or endpoint — the only ones that touch your test-and-deploy pipeline.
So the real number isn’t 291. It’s ten.
The ten that matter
Two items lead the list:
- Microsoft Defender — Remote Code Execution (Critical). An RCE in the anti-malware engine itself. Defender platform updates ship out-of-band and largely auto-apply, so the action here is verification: confirm the engine version actually rolled out across the estate rather than assuming it did.
- SharePoint Server — Remote Code Execution (×2, Important). On-prem SharePoint is a perennial high-value target and a slow patch surface in most estates. These are the items most likely to need a deliberate test pass before the June cycle.
The full on-prem set:
| CVE | Severity | Product | What changed |
|---|---|---|---|
| CVE-2026-45584 | Critical | Defender RCE | Newly published |
| CVE-2026-42897 | Critical | Exchange Server Spoofing | Informational revision |
| CVE-2026-45659 | Important | SharePoint RCE | Newly published |
| CVE-2026-47294 | Important | SharePoint Server RCE | Newly published |
| CVE-2026-41091 | Important | Defender EoP | Newly published |
| CVE-2026-45585 | Important | Windows BitLocker SFB | Revised |
| CVE-2026-32185 | Important | Teams Spoofing | Revised |
| CVE-2026-45492 | Moderate | Edge SFB | Newly published |
| CVE-2026-45494 | Moderate | Edge Spoofing | Newly published |
| CVE-2026-45498 | Low | Defender DoS | Newly published |
Fourteen “Critical” is not fourteen fire drills
The cycle carried fourteen Critical-rated CVEs — but thirteen of the twenty-three Microsoft-product entries are cloud services Microsoft remediates server-side. The Critical count is real; the operational load it implies for an on-prem estate is not. Knowing which Criticals you actually own is half the job.
The list is never final
One of this cycle’s entries — a Windows Admin Center elevation-of-privilege — was addressed in the May updates but inadvertently omitted from the Guide, then quietly added on 21 May. Anyone who froze their risk picture on Patch Tuesday wouldn’t have seen it. That is the whole argument for a mid-cycle checkpoint: the Patch Tuesday snapshot is a starting point, not a final state.
Before 9 June
Queue the on-prem SharePoint and Defender items for test now, note-and-close the cloud disclosures, and let the standing process handle the 268 Edge CVEs. None of this forces an emergency — but it pre-stages June so the next Patch Tuesday lands on a prepared estate instead of a surprised one.
That gap between what changed and what you must act on is the operational reality the headline CVE counts obscure — and closing it, every cycle, is the work.
Severity and revision status are taken verbatim from the Microsoft Security Update Guide. None of these CVEs is listed as actively exploited at the time of writing; cross-check the CISA KEV catalog before treating any as a patch-now emergency.