Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities Including Three Publicly Disclosed Zero-Days and 33 Critical Flaws

Microsoft has released its June 2026 Patch Tuesday updates, fixing 200 vulnerabilities across Windows, Office, Exchange, Hyper-V, and Azure services. The release includes 33 critical-rated flaws and three publicly disclosed zero-days, none of which are currently known to be exploited in attacks.

Of the critical vulnerabilities, 28 enable remote code execution, four allow elevation of privilege, and one results in information disclosure. The broader breakdown spans 65 privilege escalation flaws, 55 remote code execution bugs, 30 information disclosure issues, 27 spoofing vulnerabilities, 19 security feature bypasses, and seven denial-of-service flaws.

Three Zero-Days Patched

The most notable fix is CVE-2026-50507, a Windows BitLocker security feature bypass that Microsoft attributed to an anonymous researcher. The flaw is in fact the YellowKey vulnerability publicly disclosed last month by Nightmare Eclipse — the researcher behind the ongoing wave of Windows zero-day releases that includes BlueHammer, MiniPlasma, RedSun, and UnDefend, published in protest of Microsoft's bug bounty and disclosure handling.

YellowKey allows a physical attacker to plant crafted files on a USB drive or EFI partition, boot into the Windows Recovery Environment, and hold CTRL to spawn a command shell with unrestricted access to BitLocker-protected drives. Systems using TPM-only BitLocker protection on Windows 11 and Windows Server 2022/2025 are primarily affected. Microsoft had previously advised TPM+PIN authentication as an interim mitigation.

CVE-2026-49160 addresses the "HTTP/2 Bomb" denial-of-service technique disclosed by researchers Quang Luong and Codex of offensive security firm Calif. The attack abuses HTTP/2 header compression and flow-control mechanics, allowing tiny amounts of attacker traffic to force servers into allocating disproportionately large memory reservations that can't be freed, degrading performance or causing outages. Alongside the patch, Microsoft introduced a new MaxHeadersCount registry setting (documented in KB5102602) to cap header counts in HTTP/2 and HTTP/3 requests.

The third zero-day, CVE-2026-45586, is a privilege escalation flaw in the Windows Collaborative Translation Framework (CTFMON). Improper link resolution before file access allows a local authenticated attacker to elevate to SYSTEM. Microsoft credited an anonymous researcher and shared no disclosure details. Notably, CTFMON was also the target of Nightmare Eclipse's GreenPlasma zero-day in May.

Critical Flaws Worth Prioritizing

Several critical bugs stand out for enterprise environments:

• Remote Desktop Client accounts for eight critical RCE flaws in a single release — a heavy concentration that makes RDP client patching a priority for any organization where users connect to untrusted or semi-trusted hosts
• CVE-2026-47288 — Kerberos Key Distribution Center RCE, directly exposing domain controllers
• CVE-2026-45648 — Active Directory Domain Services RCE
• CVE-2026-44815 — DHCP Client Service RCE, reachable on any Windows endpoint requesting a lease
• CVE-2026-47291 — HTTP.sys RCE, affecting Windows web-facing services
• CVE-2026-45641, CVE-2026-45607, CVE-2026-47652 — three critical Hyper-V RCE flaws threatening guest-to-host escape scenarios
• Seven critical Office RCEs, including three Outlook/Word bugs (CVE-2026-45456, CVE-2026-45458, CVE-2026-47635) where preview-pane exposure should be assumed until confirmed otherwise

The release also includes ten Secure Boot/UEFI security feature bypasses and three BitLocker bypasses in total — continuing 2026's steady erosion of physical-attack protections.

Action Items

Deploy the June cumulative updates immediately, prioritizing domain controllers (Kerberos KDC, AD DS), Hyper-V hosts, and web-facing servers running HTTP.sys. Organizations relying on TPM-only BitLocker should treat CVE-2026-50507 as confirmation that the YellowKey attack worked as described — patch and move to TPM+PIN where the threat model includes physical access. Server admins exposed to HTTP/2 traffic should review KB5102602 and consider the MaxHeadersCount setting as defense-in-depth. With Nightmare Eclipse's disclosure campaign still active, expect further unpatched Windows zero-days to drop without warning.