Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws

Summary

Microsoft's June 2026 Patch Tuesday addresses 200 vulnerabilities, including three publicly disclosed zero-days. While none of the zero-days are known to have been exploited, they include an elevation of privilege flaw in Windows CTFMON, a denial-of-service vulnerability in HTTP.sys dubbed 'HTTP/2 Bomb', and a security feature bypass in Windows BitLocker.

Full text

Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws By Lawrence Abrams June 9, 2026 01:57 PM 0 Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws and three publicly disclosed zero-day vulnerabilities. This Patch Tuesday addresses 33 "Critical" vulnerabilities, 28 of which are remote code execution, 4 are elevation of privilege, and 1 is an information disclosure flaw. The number of bugs in each vulnerability category is listed below: 65 Elevation of Privilege Vulnerabilities 19 Security Feature Bypass Vulnerabilities 55 Remote Code Execution Vulnerabilities 30 Information Disclosure Vulnerabilities 7 Denial of Service Vulnerabilities 27 Spoofing Vulnerabilities When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include flaws in Mariner, Azure HorizonDB, Microsoft Copilot, Copilot Chat, M365 Copilot, Microsoft Exchange Online, and Microsoft Graph that were fixed by Microsoft earlier this month. There were also a massive 360 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded from this Patch Tuesday roundup. To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5094126 & KB5093998 cumulative updates. Noteworthy vulnerabilities This month's Patch Tuesday fixes three publicly disclosed zero-day vulnerabilities, none of which are known to have been exploited in attacks. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available. The two publicly disclosed zero-days are: CVE-2026-45586 - Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability Microsoft has patched a publicly disclosed Windows CTFMON vulnerability that grants SYSTEM privileges. "Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally," explains Microsoft. Microsoft has credited the flaw to an anonymous researcher, but has not shared any details on how it was disclosed. CVE-2026-49160 - HTTP.sys Denial of Service Vulnerability Microsoft has patched a publicly disclosed HTTP/2 denial of service flaw called "HTTP/2 Bomb" that was disclosed this month by researchers at the offensive security firm Calif. "Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network," explains Microsoft. The HTTP/2 Bomb attack is a denial-of-service technique that abuses how the HTTP/2 protocol compresses and manages web traffic headers, allowing attackers to send very small amounts of data that force servers to allocate disproportionately large amounts of memory. Researchers found the attack could dramatically increase memory usage on affected servers. Attackers can also keep the memory tied up by manipulating flow-control settings, preventing the server from freeing resources and potentially causing performance issues or outages. To help mitigate this attack, Microsoft has introduced a new "MaxHeadersCount" registry setting to limit the number of headers in a request, along with a support bulletin on how to use it. "Microsoft also introduced a new MaxHeadersCount registry setting. This setting allows you to limit the number of headers included in HTTP/2 and HTTP/3 requests that are accepted by the HTTP server. For more information, see KB5102602," continued Microsoft. This flaw was attributed to Quang Luong and Codex of Calif.io. CVE-2026-50507 - Windows BitLocker Security Feature Bypass Vulnerability Microsoft has patched a publicly disclosed Windows BitLocker bypass flaw that allowed local attackers to gain access to an encrypted drive. "Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack," explains Microsoft. While Microsoft attributed the flaw to an anonymous researcher, BleepingComputer has learned that this is a fix for the YellowKey vulnerability that was publicly disclosed last month by a cybersecurity researcher named Nightmare Eclipse. The YellowKey vulnerability could be exploited by placing specially crafted files on a USB drive or EFI partition and booting into the Windows Recovery Environment (WinRE), where holding down the CTRL key triggered a command shell with unrestricted access to encrypted BitLocker-protected drives. The flaw primarily affects systems that used TPM-only BitLocker protection on Windows 11 and Windows Server 2022/2025 devices. Microsoft previously shared temporary mitigations for the issue, including enabling TPM+PIN authentication instead of relying solely on TPM protection. Nightmare Eclipse has released a wave of Windows zero-day vulnerabilities, including BlueHammer, MiniPlasma, RedSun, and UnDefend, in protest of Microsoft's handling of its bug bounty and vulnerability disclosure programs. Recent updates from other companies Other vendors who released updates or advisories in May 2026 include: Acer warned about two maximum-severity unpatched flaws in Acer Wave 7 Routers that could be used to hijack routers. Check Point released security updates for a Remote Access VPN and Mobile Access flaw that was exploited in Qilin ransomware attacks. Cisco released security updates for numerous products, including a Unified CM flaw with a PoC exploit and an SD-WAN zero-day exploited in attacks. Fortinet released security updates for numerous flaws in FortiOS, FortiSandbox, and FortiProxy. Google released Android's June security bulletin, fixing 124 flaws and one actively exploited vulnerability. The company also fixed a new Google Chrome zero-day that was exploited in attacks. Ivanti released security updates for vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) and Ivanti Sentry, with none exploited in the wild. Ubiquiti released security updates for three vulnerabilities with maximum severity ratings that could lead to remote code execution. SAP released the June security updates, which include fixes for four critical flaws. Veeam released security updates for a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers. The June 2026 Patch Tuesday Security Updates Below is the complete list of resolved vulnerabilities in the May 2026 Patch Tuesday updates, excluding flaws fixed before today. To access the full description of each vulnerability and the systems it affects, you can view the full report here. Tag CVE ID CVE Title Severity .NET CVE-2026-45491 .NET Tampering Vulnerability Important .NET CVE-2026-45490 .NET SDK Elevation of Privilege Vulnerability Important Active Directory Domain Services CVE-2026-45648 Windows Active Directory Domain Services Remote Code Execution Vulnerability Critical ASP.NET Core CVE-2026-45591 ASP.NET Core Denial of Service Vulnerability Important Azure Stack Edge CVE-2026-47643 Azure Stack Edge Remote Code Execution Vulnerability Important Azure Stack Edge CVE-2026-41098 Azure Stack Edge Spoofing Vulnerability Important Function Discovery Service (fdwsd.dll) CVE-2026-42836 Windows Function Discovery Service (fdwsd.dll) Elevation of Privilege Vulnerability Important GitHub Copilot and Visual Studio Code CVE-2026-45482 Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability Important HTTP/2 CVE-2026-49160 HTTP.sys Denial of Service Vulnerability Important Linux MANA Driver CVE-2026-45476 Microsoft Azure Network Adapter Elevation of Privilege Vulnerability Critical Microsoft Azure Attestation service and Device Health Attestation Service CVE-2026-45642 Microsoft Azure Attestation service and Device Health Attestation Service Spoofing Vulnerability Important Microsoft Azure Attestation service and Device Health Attestation Service CVE-2026-33828 Windows Device Health At

Indicators of Compromise

• cve — CVE-2026-45586
• cve — CVE-2026-49160
• cve — CVE-2026-50507

Entities