Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws

Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws and three publicly disclosed zero-day vulnerabilities.

This Patch Tuesday addresses 33 "Critical" vulnerabilities, 28 of which are remote code execution, 4 are elevation of privilege, and 1 is an information disclosure flaw.

The number of bugs in each vulnerability category is listed below:

• 65 Elevation of Privilege Vulnerabilities
• 19 Security Feature Bypass Vulnerabilities
• 55 Remote Code Execution Vulnerabilities
• 30 Information Disclosure Vulnerabilities
• 7 Denial of Service Vulnerabilities
• 27 Spoofing Vulnerabilities

When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today.

Therefore, the number of flaws does not include flaws in Mariner, Azure HorizonDB, Microsoft Copilot, Copilot Chat, M365 Copilot, Microsoft Exchange Online, and Microsoft Graph that were fixed by Microsoft earlier this month.

There were also a massive 360 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded from this Patch Tuesday roundup.

To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5094126 & KB5093998 cumulative updates.

Noteworthy vulnerabilities

This month's Patch Tuesday fixes three publicly disclosed zero-day vulnerabilities, none of which are known to have been exploited in attacks.

Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.

The two publicly disclosed zero-days are:

CVE-2026-45586 - Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability

Microsoft has patched a publicly disclosed Windows CTFMON vulnerability that grants SYSTEM privileges.

"Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally," explains Microsoft.

Microsoft has credited the flaw to an anonymous researcher, but has not shared any details on how it was disclosed.

CVE-2026-49160 - HTTP.sys Denial of Service Vulnerability

Microsoft has patched a publicly disclosed HTTP/2 denial of service flaw called "HTTP/2 Bomb" that was disclosed this month by researchers at the offensive security firm Calif.

"Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network," explains Microsoft.

The HTTP/2 Bomb attack is a denial-of-service technique that abuses how the HTTP/2 protocol compresses and manages web traffic headers, allowing attackers to send very small amounts of data that force servers to allocate disproportionately large amounts of memory.

Researchers found the attack could dramatically increase memory usage on affected servers. Attackers can also keep the memory tied up by manipulating flow-control settings, preventing the server from freeing resources and potentially causing performance issues or outages.

To help mitigate this attack, Microsoft has introduced a new "MaxHeadersCount" registry setting to limit the number of headers in a request, along with a support bulletin on how to use it.

"Microsoft also introduced a new MaxHeadersCount registry setting. This setting allows you to limit the number of headers included in HTTP/2 and HTTP/3 requests that are accepted by the HTTP server. For more information, see KB5102602," continued Microsoft.

This flaw was attributed to Quang Luong and Codex of Calif.io.

CVE-2026-50507 - Windows BitLocker Security Feature Bypass Vulnerability

Microsoft has patched a publicly disclosed Windows BitLocker bypass flaw that allowed local attackers to gain access to an encrypted drive.

"Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack," explains Microsoft.

While Microsoft attributed the flaw to an anonymous researcher, BleepingComputer has learned that this is a fix for the YellowKey vulnerability that was publicly disclosed last month by a cybersecurity researcher named Nightmare Eclipse.

The YellowKey vulnerability could be exploited by placing specially crafted files on a USB drive or EFI partition and booting into the Windows Recovery Environment (WinRE), where holding down the CTRL key triggered a command shell with unrestricted access to encrypted BitLocker-protected drives.

The flaw primarily affects systems that used TPM-only BitLocker protection on Windows 11 and Windows Server 2022/2025 devices. Microsoft previously shared temporary mitigations for the issue, including enabling TPM+PIN authentication instead of relying solely on TPM protection.

Nightmare Eclipse has released a wave of Windows zero-day vulnerabilities, including BlueHammer, MiniPlasma, RedSun, and UnDefend, in protest of Microsoft's handling of its bug bounty and vulnerability disclosure programs.

Recent updates from other companies

Other vendors who released updates or advisories in May 2026 include:

• Acer warned about two maximum-severity unpatched flaws in Acer Wave 7 Routers that could be used to hijack routers.
• Adobe released security updates for Experience Manager, InDesign, InCopy, Substance 3D Sampler, Dreamweaver, Reader, ColdFusion, and more.
• Check Point released security updates for a Remote Access VPN and Mobile Access flaw that was exploited in Qilin ransomware attacks.
• Cisco released security updates for numerous products, including a Unified CM flaw with a PoC exploit and an SD-WAN zero-day exploited in attacks.
• Fortinet released security updates for numerous flaws in FortiOS, FortiSandbox, and FortiProxy.
• Google released Android's June security bulletin, fixing 124 flaws and one actively exploited vulnerability. The company also fixed a new Google Chrome zero-day that was exploited in attacks.
• Ivanti released security updates for vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) and Ivanti Sentry, with none exploited in the wild.
• Ubiquiti released security updates for three vulnerabilities with maximum severity ratings that could lead to remote code execution. 
• SAP released the June security updates, which include fixes for four critical flaws.
• Veeam released security updates for a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers.

The June 2026 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the May 2026 Patch Tuesday updates, excluding flaws fixed before today.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

New Veeam vulnerability exposes backup servers to RCE attacks

Windows 11 KB5094126 & KB5093998 cumulative updates released