Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flaws
Microsoft June 2026 Patch Tuesday fixes 6 zero-days, including one actively exploited.
Summary
Microsoft's June 2026 Patch Tuesday addresses 200 vulnerabilities, including six zero-days. One of these zero-days was actively exploited in attacks, while the other five were publicly disclosed. The critical updates include remote code execution, elevation of privilege, and information disclosure flaws across various Windows components.
Full text
Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flaws By Lawrence Abrams June 9, 2026 01:57 PM 0 Article and title updated as 3 additional zero-days were fixed in the June 2026 Patch Tuesday. Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws, including five publicly disclosed zero-day vulnerabilities and one actively exploited in attacks. This Patch Tuesday addresses 33 "Critical" vulnerabilities, 28 of which are remote code execution, 4 are elevation of privilege, and 1 is an information disclosure flaw. The number of bugs in each vulnerability category is listed below: 65 Elevation of Privilege Vulnerabilities 19 Security Feature Bypass Vulnerabilities 55 Remote Code Execution Vulnerabilities 30 Information Disclosure Vulnerabilities 7 Denial of Service Vulnerabilities 27 Spoofing Vulnerabilities When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include flaws in Mariner, Azure HorizonDB, Microsoft Copilot, Copilot Chat, M365 Copilot, Microsoft Exchange Online, and Microsoft Graph that were fixed by Microsoft earlier this month. There were also a massive 360 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded from this Patch Tuesday roundup. To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5094126 & KB5093998 cumulative updates and the Windows 10 KB5094127 extended security update. Microsoft patches 5 zero-days This month's Patch Tuesday fixes six zero-day vulnerabilities, with five publicly disclosed and one exploited in attacks. Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available. The zero-days addressed during this month’s Patch Tuesday are: CVE-2026-45586 - Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability Microsoft has patched a publicly disclosed Windows CTFMON vulnerability that grants SYSTEM privileges. "Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally," explains Microsoft. Microsoft credited the flaw to an anonymous researcher, but BleepingComputer has learned that this is a fix for the "GreenPlasma" zero-day flaw that was disclosed by security researcher Nightmare Eclipse. GreenPlasma is a privilege escalation vulnerability that could be exploited to obtain a shell with SYSTEM permissions. Nightmare Eclipse has released a wave of Windows zero-day vulnerabilities, including BlueHammer, RedSun, UnDefend, and YellowKey (also fixed today), in protest of Microsoft's handling of its bug bounty and vulnerability disclosure programs. CVE-2026-49160 - HTTP.sys Denial of Service Vulnerability Microsoft has patched a publicly disclosed HTTP/2 denial-of-service flaw, called "HTTP/2 Bomb," that researchers at the offensive security firm Calif. disclosed this month. "Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network," explains Microsoft. The HTTP/2 Bomb attack is a denial-of-service technique that abuses how the HTTP/2 protocol compresses and manages web traffic headers, allowing attackers to send very small amounts of data that force servers to allocate disproportionately large amounts of memory. Researchers found the attack could dramatically increase memory usage on affected servers. Attackers can also keep the memory tied up by manipulating flow-control settings, preventing the server from freeing resources and potentially causing performance issues or outages. To help mitigate this attack, Microsoft has introduced a new "MaxHeadersCount" registry setting to limit the number of headers in a request, along with a support bulletin on how to use it. "Microsoft also introduced a new MaxHeadersCount registry setting. This setting allows you to limit the number of headers included in HTTP/2 and HTTP/3 requests that are accepted by the HTTP server. For more information, see KB5102602," continued Microsoft. This flaw was attributed to Quang Luong and Codex of Calif.io. CVE-2026-45585 - Windows BitLocker Security Feature Bypass Vulnerability Microsoft has patched a publicly disclosed Windows BitLocker bypass flaw known as "YellowKey" that allowed local attackers to gain access to an encrypted drive. "A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data," explains Microsoft. WWhile Microsoft attributed the flaw to an anonymous researcher, Nightmare Eclipse also publicly disclosed it last month. The YellowKey vulnerability could be exploited by placing specially crafted files on a USB drive or EFI partition and booting into the Windows Recovery Environment (WinRE), where holding down the CTRL key triggered a command shell with unrestricted access to encrypted BitLocker-protected drives. The flaw primarily affects systems that use TPM-only BitLocker protection on Windows 11 and Windows Server 2022/2025 devices. Microsoft previously shared temporary mitigations for the issue, including enabling TPM+PIN authentication instead of relying solely on TPM protection. Microsoft previously shared mitigations for the flaw in May, but it has been patched as part of this month's security updates. CVE-2026-50507 - Windows BitLocker Security Feature Bypass Vulnerability Microsoft has patched another BitLocker bypass flaw that allows local attackers to access encrypted drives. "A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data," explains Microsoft. While Microsoft did not attribute this flaw to anyone, this security update is believed to fix a BitLocker zero-day vulnerability known as "bitskrieg." Last Friday, Windows security expert Jonas Lykkegaard disclosed the bitskrieg BitLocker bypass vulnerability on X. Will Dormann, principal vulnerability analyst at Tharros, now says that Microsoft has fixed this vulnerability as part of the security update for CVE-2026-50507. However, Dormann warns that the fix could cause Windows devices to display an error stating, "A required file couldn't be accessed because your BitLocker key wasn't loaded correctly." If you receive this error, Dormann says you can fix it by turning WinRE on and off in an elevated CMD prompt using these commands: reagentc /disable reagentc /enable CVE-2020-17103 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Microsoft fixed a publicly disclosed "Mini-Plasma" zero-day vulnerability that gives SYSTEM privileges. "To comprehensively address the vulnerability identified by CVE-2020-17103 and recently publicly referred to as "Mini-Plasma" Microsoft recommends installing the June 2026 updates for your Windows operating systems," explains Microsoft. This flaw was also disclosed by Nightmare Eclipse, who said it was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020. At the time, the flaw was assigned the CVE-2020-17103 identifier and reportedly fixed in December 2020. However, Nightmare Eclipse said that the flaw was still exploitable, and it was unclear if Microsoft never fully patched the issue or the patch was silently reintroduced at some point. The actively exploited vulnerability is: CVE-2026-42897 - Microsoft Exchange Server Spoofing Vulnerability Microsoft fixed an actively exploited Microsoft Exchange Server spoofing vulnerability that can execute JavaScript in a target’s browser. "An attacker could exploit this issue by sending a specially crafted email to a user. If the user ope
Indicators of Compromise
- cve — CVE-2026-45586
- cve — CVE-2026-49160