Microsoft's June 2026 Patch Tuesday Addresses 200 Vulnerabilities, Including Uncoordinated Disclosures and HTTP/2 Flaws
Microsoft's June 2026 Patch Tuesday addresses 200 vulnerabilities, with a notable focus on uncoordinated disclosures by researcher 'Nightmare Eclipse' and new denial-of-service vulnerabilities affecting HTTP/2 implementations.
Microsoft's June 2026 Patch Tuesday has rolled out, tackling a substantial 200 vulnerabilities. While Microsoft reports no known exploitation in the wild for these flaws, three have seen public disclosure. This release also includes a significant number of browser vulnerabilities, with Microsoft no longer enumerating Chromium CVEs in its Security Update Guide due to the sheer volume, a trend also observed in Linux kernel vulnerabilities increasingly reported with AI assistance.
A particularly contentious aspect of this month's update involves an independent researcher known as 'Nightmare Eclipse.' This researcher has gained attention for uncoordinated disclosures of six Microsoft vulnerabilities, including elevation of privilege flaws in Microsoft Defender and a Secure Boot bypass, often accompanied by proof-of-concept code. Microsoft has confirmed these disclosures were not coordinated, and the relationship appears strained, especially after disclosures emerged shortly after the previous month's Patch Tuesday, limiting Microsoft's response time.
Microsoft has issued patches and mitigation advice for CVE-2026-33825, CVE-2026-45585, CVE-2026-45498, and CVE-2026-41091. However, two elevation of privilege vulnerabilities, dubbed MiniPlasma and GreenPlasma, remain unpatched. A recent cryptic post by Nightmare Eclipse, featuring an image from the Resident Evil series, has led to speculation about further disclosures, with a new blog post and GitHub account emerging shortly after the June Patch Tuesday, detailing an apparent seventh disclosure nicknamed RoguePlanet, another elevation of privilege to SYSTEM in Defender.
The broader vulnerability disclosure community has expressed concern over Microsoft's initial invocation of its Digital Crimes Unit, fearing it might deter beneficial engagements. Microsoft has since clarified that their focus is on illegal activity and malicious harm, not on security researchers themselves. This ongoing, high-friction disclosure arc suggests the situation is far from resolved.
Beyond the uncoordinated disclosures, this Patch Tuesday also addresses several denial-of-service vulnerabilities affecting web servers implementing HTTP/2 and HTTP/3 standards. CVE-2026-49160, credited to a third-party firm and OpenAI's Codex, allows for uncontrolled resource consumption over a network. Microsoft anticipates exploitation is more likely for this class of vulnerability.
Additionally, CVE-2026-49975, known as 'HTTP/2 Bomb,' was publicly disclosed a week prior. This vulnerability allows for trivial denial-of-service by exhausting server memory, affecting multiple web server platforms including Microsoft IIS, NGINX, and Apache. While patches are available for NGINX and Apache, IIS is expected to follow, and disabling HTTP/2 is recommended as a mitigation where practically possible.
Another notable fix is for CVE-2026-42902, a local elevation of privilege to SYSTEM within the Microsoft PowerToys utility. This vulnerability was patched in PowerToys v0.99.1 on April 29, 2026, but was not explicitly mentioned in the release notes, potentially allowing attackers with patch-diffing tools to identify and exploit it.
Finally, in terms of product lifecycle, SQL Server 2016 will move into the Extended Security Updates (ESU) phase after July 14, 2026, with SharePoint 2016 and 2019 also reaching the end of their regular extended support on the same date.