Microsoft’s June 2026 Patch Tuesday Fixes 200 Flaws, Including Six Zero-Days

Microsoft’s June 2026 Patch Tuesday is not a routine maintenance release. The company fixed 200 vulnerabilities, including six zero-days: five publicly disclosed before patches were available and one Microsoft Exchange Server flaw already exploited in attacks. For defenders, the priority is clear: patch Windows and Office quickly, validate Exchange mitigations, and give extra attention to BitLocker, HTTP.sys, Remote Desktop, Hyper-V, SharePoint, and internet-facing Windows Server workloads.

According to BleepingComputer’s Patch Tuesday coverage, the June 2026 release includes 33 Critical vulnerabilities. Microsoft’s official Security Update Guide lists affected products across Windows, Microsoft Office, Exchange Server, SharePoint, Visual Studio Code, Azure Kubernetes Service, Hyper-V, Remote Desktop Client, .NET, and other platform components.

The News Hook

The most urgent item is CVE-2026-42897, a Microsoft Exchange Server spoofing vulnerability that Microsoft says has been exploited. The attack path is concerning because it starts with email and Outlook Web Access. Microsoft describes the impact as browser-context JavaScript execution after a user opens a specially crafted email under certain interaction conditions.

Microsoft says arbitrary JavaScript can execute in the browser context.

That wording matters. A browser-context script in OWA is not the same as full server takeover, but it can still be useful to attackers. Depending on the user session, mail permissions, authentication state, and defensive controls, browser-side execution can support credential theft, mailbox abuse, session manipulation, phishing from trusted infrastructure, or follow-on social engineering.

Microsoft has not yet described the full exploitation chain publicly. The practical response is to treat exposed Exchange Server environments as high priority. Organizations should confirm that the Exchange Emergency Mitigation Service is enabled, review the Exchange Health Checker output, verify cumulative update levels, and watch OWA telemetry for unusual script behavior, unexpected mailbox actions, suspicious inbox rules, and anomalous authentication.

Expert Context

This month’s zero-day set is unusual because it mixes classic enterprise exposure with local and physical-access attack paths. The Exchange issue is the one known to be exploited, but the public Windows bugs deserve attention because exploit code or technical details were already circulating before the June patches landed.

The HTTP.sys issue, CVE-2026-49160, is a denial-of-service bug tied to HTTP/2 resource handling. Microsoft summarizes it this way:

“Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.”

Researchers Quang Luong and Codex of Calif.io disclosed the technique as “HTTP/2 Bomb.” The core idea is familiar to anyone who has managed application-layer denial-of-service risk: the attacker sends relatively small requests that cause the server to spend much larger memory or processing resources. HTTP/2 makes this especially interesting because header compression, stream management, and flow-control behavior can create sharp differences between traffic size and server-side cost.

Microsoft added a new MaxHeadersCount registry setting and published KB5102602 so administrators can limit the number of headers accepted in HTTP/2 and HTTP/3 requests. That is useful because it gives teams a tuning control in addition to patching. For IIS and Windows HTTP.sys operators, the work is not just “install update.” It is also “understand whether header limits should be set explicitly for your workload.”

The BitLocker issues are more physical, but that does not make them academic. CVE-2026-45585, associated in reporting with the “YellowKey” disclosure, affects systems using BitLocker Device Encryption. Microsoft’s advisory language is direct:

“An attacker with physical access to the target could exploit this vulnerability.”

The reported attack abused Windows Recovery Environment behavior to reach protected data on TPM-only BitLocker systems. That distinction is critical. TPM-only BitLocker protects well against many lost-device scenarios, but it does not require a user-entered pre-boot secret. When a recovery or boot-path flaw appears, TPM-only deployments can have less resistance than TPM+PIN configurations.

Another BitLocker bypass, CVE-2026-50507, is believed by multiple researchers cited in the reporting to address the “bitskrieg” issue. Windows security analyst Will Dormann warned that some systems may display a BitLocker key loading error after the fix. The reported recovery action is to disable and re-enable WinRE from an elevated command prompt using reagentc /disable followed by reagentc /enable. Administrators should test this in representative device groups before broad deployment, especially on fleets with custom recovery partitions, OEM images, or endpoint encryption management tools.

The remaining public zero-days include CVE-2026-45586, a Windows Collaborative Translation Framework elevation-of-privilege flaw linked in reporting to “GreenPlasma,” and CVE-2020-17103, the Windows Cloud Files Mini Filter Driver issue recently discussed as “Mini-Plasma.” Both are local privilege escalation problems, which means they are most dangerous after an attacker already has code execution as a lower-privileged user. That is still serious. Modern intrusions often start with phishing, stolen credentials, browser compromise, or a developer workstation foothold. Local privilege escalation is how attackers turn that first access into SYSTEM-level persistence, credential dumping, security tool tampering, and lateral movement.

Affected Platforms And Risk Areas

The affected surface is broad. Windows client and server systems receive fixes across kernel components, Win32K graphics, DWM, NTFS, Winlogon, TCP/IP, DHCP, Kerberos, Secure Boot, UEFI, BitLocker, Mark of the Web, Windows Shell, Remote Desktop, and HTTP.sys. Windows 11, Windows Server 2022, and Windows Server 2025 deserve special attention for the BitLocker and WinRE-related discussion, while internet-facing Windows Server roles need priority review for HTTP.sys and remote service exposure.

Exchange Server is a separate priority because CVE-2026-42897 is exploited and affects OWA-driven user interaction. Teams running Exchange Server 2016, Exchange Server 2019, or Exchange Server Subscription Edition should verify Microsoft’s current guidance through the Exchange Team Blog and the Exchange Emergency Mitigation Service documentation.

Office also has multiple critical remote code execution fixes, including Outlook and Word vulnerabilities. These are high-value targets because documents and email remain reliable delivery paths. Remote Desktop Client, Hyper-V, SharePoint Server, Azure Kubernetes Service, Visual Studio Code extensions, and .NET also appear in the June update set, so this is not a “Windows desktop only” month.

Practical Advice

Start with exploited and exposed systems. Exchange Server should be first in the queue because Microsoft has observed exploitation. Confirm emergency mitigations are active, then patch according to Microsoft’s release guidance. After patching, review OWA access logs, mailbox audit logs, suspicious inbox rules, OAuth consent events, and any recent authentication anomalies.

Next, patch internet-facing Windows Server systems, especially servers using IIS or services built on HTTP.sys. For CVE-2026-49160, review whether MaxHeadersCount should be configured. A lower header limit can reduce denial-of-service exposure, but it can also break applications that legitimately use many headers, large authentication metadata, or complex reverse proxy chains. Test with production-like traffic before applying aggressive limits.

For BitLocker, do not treat the fix as a normal endpoint patch and forget it. Inventory devices using TPM-only mode, especially executive laptops, developer workstations, shared kiosks, regulated-data endpoints, and systems at higher theft risk. Where the operational cost is acceptable, move sensitive devices to TPM+PIN. Also verify WinRE status after patching and test recovery workflows. A BitLocker deployment that cannot recover cleanly during an outage becomes its own availability risk.

For local privilege escalation bugs, prioritize systems where low-privilege access is common: virtual desktop infrastructure, jump hosts, developer machines, shared lab systems, help desk workstations, and servers where administrators occasionally browse, open files, or run tooling. These bugs are often chained with initial access, so least privilege, application control, endpoint detection, and credential isolation still matter after patching.

For Office and document-handling risk, patch Microsoft 365 Apps and supported Office builds quickly. Keep Protected View, Mark of the Web handling, attachment detonation, and email filtering enabled. If your organization allows Office macros or complex document automation, review whether those exceptions are still justified.

What Security Teams Should Measure

A useful Patch Tuesday process produces evidence, not just a ticket that says updates were deployed. Track which assets received the June 2026 cumulative updates, which systems failed installation, which systems require reboot, and which unsupported systems cannot receive fixes. For servers, confirm service health after reboot and keep a rollback plan for business-critical workloads.

For this month, add three focused checks. First, validate Exchange mitigation status and OWA telemetry. Second, verify BitLocker and WinRE behavior on a sample of patched laptops. Third, review HTTP.sys-facing servers for HTTP/2 and HTTP/3 exposure, then decide whether Microsoft’s MaxHeadersCount setting belongs in your baseline.

The broader lesson is that Patch Tuesday risk is no longer just a count of CVEs. The details matter: one exploited Exchange issue, several public Windows zero-days, a protocol-level denial-of-service weakness, and physical-access BitLocker bypasses require different owners and different response playbooks. The trusted-advisor approach is to sequence the work by attacker opportunity: exploited first, internet-facing second, privilege escalation on high-value endpoints third, and broad productivity platforms close behind.