Patch Tuesday June 2026: Ivanti Sentry scores a perfect 10, Chrome V8 already under attack
3 bugs exploited in the wild (Chrome V8, Cisco SD-WAN Manager, Arista EOS), plus a CVSS 10.0 unauthenticated RCE in Ivanti Sentry, a 9.3 Windows kernel privesc, and a 9.8 deserialization RCE in Nuance PowerScribe.
Three vulnerabilities are already being exploited in the wild this month, and Microsoft dropped a stack of 9.8s that deserve your attention tonight. The Chrome V8 bug, a Cisco SD-WAN root escalation, and an Arista EOS traffic injection issue are the ones actively under attack. Behind those, you've got pre-auth RCEs in HTTP.sys, the Windows DHCP Client, Ivanti Sentry (CVSS 10.0), and Fortinet FortiSandbox, so clear some time on the calendar.
Today's CVEs
Sorted by urgencyCVE-2026-11645
NVDAn attacker can run code inside Chrome's sandbox by tricking a user into visiting a malicious web page. This is an out-of-bounds read/write bug in V8, Chrome's JavaScript engine, and attackers are already exploiting it in the wild. EPSS puts this at the 90th percentile for exploit probability, which lines up with what we're seeing.
- Included because
- exploited in the wild; no special config needed; extremely common product; user-interaction is just visiting a page
- Affected estate
- All Google Chrome installations prior to 149.0.7827.103. Also check Chromium-based browsers (Edge, Brave, Opera) for corresponding updates.
- How to check
- Open chrome://version or run 'google-chrome --version' on Linux. Look for anything below 149.0.7827.103.
- Action
- Push Chrome 149.0.7827.103 or later via your browser management policy or software deployment tool.
- Urgency
- Patch immediately
- Why it matters
- Attackers are actively exploiting this to run code on machines that visit a crafted web page, no interaction beyond clicking a link required.
- Source
- Google Chrome Stable Channel Update
Evidence trail
- NVD: View source
CVE-2026-20245
CISA KEVA local attacker with authenticated access to Cisco Catalyst SD-WAN Manager can escalate to root by feeding a crafted file to the system. This is being exploited in the wild. The attack requires local access and valid credentials, so this isn't a drive-by, but once an attacker has a foothold on your management plane, it's game over.
- Included because
- exploited in the wild; local privilege escalation to root; SD-WAN management plane is high-value target
- Affected estate
- Cisco Catalyst SD-WAN Manager (all versions until patched). Formerly known as SD-WAN vManage.
- How to check
- Run 'show version' on the vManage CLI or check the software version in the web console under Administration > Settings.
- Action
- Upgrade Cisco Catalyst SD-WAN Manager to the fixed version listed in Cisco's advisory.
- Urgency
- Patch within 24 hours
- Why it matters
- An authenticated local attacker can get root on your SD-WAN management plane, which controls your entire overlay network.
- Source
- Cisco Security Advisory
Evidence trail
- NVD: View source
CVE-2026-7473
CISA KEVArista EOS switches with tunnel decapsulation configured will incorrectly decapsulate and forward unexpected tunneled packets when the destination IP matches the configured decapsulation IP. Attackers are exploiting this in the wild. EPSS is at the 96th percentile, reinforcing that this is getting real-world attention. The practical risk is traffic injection or bypass of network segmentation.
- Included because
- exploited in the wild; network segmentation bypass; high EPSS percentile (96th); no authentication required
- Affected estate
- Arista switches running EOS with tunnel decapsulation configured (e.g., VXLAN, GRE, or IP-in-IP decap).
- How to check
- Run 'show version' on the switch CLI and compare against Arista's advisory. Check 'show running-config' for any decapsulation configuration.
- Action
- Upgrade Arista EOS to the fixed version per Arista's security advisory. As a temporary mitigation, review and tighten ACLs on decapsulation interfaces.
- Urgency
- Patch immediately
- Why it matters
- Attackers can inject traffic past your network segmentation by sending crafted tunneled packets to the switch's decapsulation IP.
- Source
- Arista Security Advisory
Evidence trail
- NVD: View source
CVE-2025-10263
MSRCA local privilege escalation bug in the Windows kernel lets an unprivileged attacker gain elevated access without any user interaction. CVSS 9.3 makes this one of the highest-severity local escalation bugs you'll see. It's not exploited in the wild yet, but the low barrier (local, no auth) means weaponization is likely once details spread.
- Included because
- CVSS 9.3; local privilege escalation; no authentication required; common product (Windows); ARM64-specific
- Affected estate
- Windows 10 21H2 and 22H2 (ARM64), Windows 11 23H2, 24H2, and 25H2 (ARM64). x64 and x86 systems do not appear in the affected list.
- How to check
- Run 'winver' or 'systeminfo' to confirm OS version and architecture. Query WSUS or Intune for ARM64 devices on affected builds.
- Action
- Deploy the latest Windows cumulative update targeting ARM64 systems on the affected OS versions.
- Urgency
- Patch this week
- Why it matters
- A CVSS 9.3 local privilege escalation in the kernel means any compromised user-level process can go straight to SYSTEM.
- Source
- Microsoft Security Response Center
Evidence trail
- NVD: View source
CVE-2026-10520
NVDAn unauthenticated attacker can get root-level remote code execution on Ivanti Sentry by injecting OS commands. No credentials needed, no user interaction. CVSS 10.0, which is as bad as it gets. Not yet confirmed exploited in the wild, but Ivanti appliances are a favorite target and this will get picked up fast.
- Included because
- CVSS 10.0; unauthenticated; remote code execution; internet-facing appliance; Ivanti products are frequently targeted
- Affected estate
- Ivanti Sentry appliances running versions before R10.5.2, R10.6.2, or R10.7.1.
- How to check
- Log into the Ivanti Sentry admin console and check the version under System Manager, or query your asset inventory for Sentry appliances.
- Action
- Upgrade to Ivanti Sentry R10.5.2, R10.6.2, or R10.7.1. Restrict management interface access to trusted networks as an interim control.
- Urgency
- Patch immediately
- Why it matters
- Unauthenticated root RCE on an internet-facing appliance. Attackers have historically weaponized Ivanti bugs within days of disclosure.
- Source
- Ivanti Security Advisory
Evidence trail
- NVD: View source
CVE-2026-26142
NVDAn unauthenticated attacker can execute code over the network on Nuance PowerScribe by sending crafted serialized data. PowerScribe is a radiology reporting platform, so if you run it in a healthcare environment, this puts patient-facing systems at direct risk. CVSS 9.8, no credentials required.
- Included because
- CVSS 9.8; unauthenticated; remote code execution; healthcare-critical system; deserialization bugs are reliably exploitable
- Affected estate
- Nuance PowerScribe servers and related reporting infrastructure.
- How to check
- Check the installed PowerScribe version in the application's admin console or via Add/Remove Programs on the server.
- Action
- Apply the vendor patch from Nuance/Microsoft. If no patch is available yet, segment PowerScribe off from untrusted networks and monitor for unusual deserialization activity.
- Urgency
- Patch immediately
- Why it matters
- Unauthenticated remote code execution on a healthcare reporting system puts clinical operations and patient data at risk.
- Source
- Nuance/Microsoft Security Advisory
Evidence trail
- NVD: View source
One email, every weekday morning.
SubscribeFrom the field notes
From this beat
See every Patch Tuesday edition and post-mortem →