Microsoft's June 2026 Patch Tuesday Addresses 206 Vulnerabilities, Including Three Publicly Disclosed Zero-Days
Microsoft's June 2026 Patch Tuesday addresses 206 vulnerabilities, including three publicly disclosed zero-days affecting Windows BitLocker, HTTP.sys, and the Windows Collaborative Translation Framework.
Microsoft's June 2026 Patch Tuesday has arrived, bringing with it fixes for a substantial 206 vulnerabilities across its product ecosystem. This month's release is particularly noteworthy for including patches for three zero-day vulnerabilities that had already been publicly disclosed, alongside 37 other Critical severity flaws and 166 additional vulnerabilities of varying impact.
The vulnerabilities addressed span a range of risk types, with elevation of privilege issues leading the pack at 65 patches (32%), followed closely by remote code execution (RCE) with 55 patches (27%), and information disclosure with 29 (13%). Microsoft Windows received the largest share of fixes with 120 patches, while Extended Security Updates (ESU) and Microsoft Office also saw significant attention with 103 and 54 patches respectively.
Among the publicly disclosed zero-days is CVE-2026-45586, an Important elevation of privilege vulnerability in the Windows Collaborative Translation Framework (CTFMON). This flaw, with a CVSS score of 7.8, allows a local attacker with low privileges to escalate to SYSTEM privileges without user interaction and with low attack complexity. Microsoft assesses exploitation as more likely, despite no current evidence of in-the-wild activity.
Another significant public disclosure is CVE-2026-50507, an Important security feature bypass vulnerability in Windows BitLocker. This vulnerability, rated at 6.8 CVSS, requires physical access to the target system but allows an unauthenticated attacker to bypass BitLocker Device Encryption and access encrypted data. While physical access is a prerequisite, the attack has low complexity and requires no privileges or user interaction. Microsoft also assesses exploitation as more likely for this flaw, noting the existence of proof-of-concept code.
The HTTP.sys kernel-mode HTTP server driver is also affected by two disclosed vulnerabilities. CVE-2026-49160 is an Important denial of service vulnerability (CVSS 7.5) that can be exploited by unauthenticated remote attackers. More critically, CVE-2026-47291 is a Critical RCE vulnerability (CVSS 9.8) in HTTP.sys, allowing unauthenticated remote attackers to execute code by sending specially crafted packets. Mitigation for this RCE vulnerability involves ensuring the MaxRequestBytes registry setting is not higher than 65,534 bytes.
Beyond the zero-days, Microsoft has also patched CVE-2026-45657, a Critical RCE vulnerability in the Windows kernel with a CVSS score of 9.8. This flaw can be triggered by specially crafted network traffic, potentially allowing code execution with SYSTEM-level privileges without authentication. Additionally, CVE-2026-26142, a Critical RCE vulnerability in Nuance PowerScribe, a radiology reporting platform, has been addressed. This deserialization flaw (CVSS 9.8) could allow unauthenticated remote attackers to compromise sensitive medical data and clinical infrastructure.
The sheer volume of vulnerabilities patched, including multiple critical flaws and publicly disclosed zero-days, underscores the ongoing challenges in securing complex software ecosystems. Organizations are strongly urged to prioritize the deployment of these June security updates to mitigate the risks associated with these vulnerabilities, particularly those with known public disclosures or assessed as more likely to be exploited.
The article details several specific vulnerabilities beyond the three zero-days, including CVE-2026-45657, a critical use-after-free flaw in the Windows Kernel with a CVSS score of 9.8 that allows for remote code execution. It also highlights CVE-2026-47291 (integer overflow in HTTP.sys) and CVE-2026-44815 (stack-based buffer overflow in DHCP Client), both with CVSS 9.8 scores, and discusses the implications of the BitLocker bypass vulnerability CVE-2026-45585, for which a proof-of-concept exploit named YellowKey was released.
This month's Patch Tuesday is Microsoft's largest ever, addressing a record 206 vulnerabilities. Among these are three publicly disclosed zero-days: CVE-2026-50507 in BitLocker, CVE-2026-49160 in HTTP.sys for HTTP/2 Bomb DoS attacks, and CVE-2026-45586 in CTFMON enabling SYSTEM privilege escalation. While details were public, none are confirmed to be exploited in the wild.