Microsoft's June 2026 Patch Tuesday Tackles 200 Flaws and Three Zero-Days, Including a BitLocker Bypass and an HTTP/2 Memory Bomb

Microsoft's June 2026 Patch Tuesday is one of the heavier ones in recent memory, with security updates covering 200 flaws and three publicly disclosed zero-day vulnerabilities. None of the three are known to be exploited in the wild yet, but two of them came out of a researcher's ongoing public campaign against Microsoft's disclosure practices, which means working details are already circulating. That changes the math on how quickly you patch.

The raw counts break down into 65 elevation of privilege bugs, 55 remote code execution flaws, 30 information disclosure issues, 27 spoofing vulnerabilities, 19 security feature bypasses, and 7 denial-of-service flaws. Thirty-three of the total carry a Critical rating, and 28 of those are remote code execution. For context, this excludes the separately patched cloud components like Azure HorizonDB and the various Copilot products, plus a striking 360 Edge/Chromium fixes that Google handled upstream this month.

The three zero-days you should read first

When a vulnerability is publicly disclosed before a fix exists, the defender's window shrinks. Attackers do not have to discover anything. They read the same writeup you do. All three of this month's zero-days fall into that category, so they belong at the top of your queue regardless of whether telemetry shows exploitation yet.

CVE-2026-50507, a BitLocker security feature bypass, is the one that should worry anyone managing laptops in the field. The flaw lets an attacker with physical access reach an encrypted drive without the credentials that are supposed to protect it. BleepingComputer identified this as the "YellowKey" vulnerability disclosed by a researcher operating under the name Nightmare Eclipse. The attack is unsettling in its simplicity: place specially crafted files on a USB drive or the EFI partition, boot into the Windows Recovery Environment, and hold down the CTRL key to drop into a command shell with full access to BitLocker-protected drives.

The systems most at risk are those relying on TPM-only protection, which is the default many organizations never change. Microsoft had previously offered a temporary mitigation, and it remains good advice even after patching: switch from TPM-only to TPM plus PIN. Requiring a PIN at boot closes the gap that lets a recovery-environment trick reach your keys. If your fleet includes Windows 11 or Windows Server 2022 and 2025 machines that travel, this is the change to make this week.

CVE-2026-49160, dubbed the "HTTP/2 Bomb," is a denial-of-service flaw in HTTP.sys disclosed by Quang Luong and Codex of the offensive security firm Calif.io. It abuses how HTTP/2 compresses and manages request headers. An attacker sends a very small amount of data that forces the server to allocate a disproportionately large amount of memory, then uses the protocol's flow-control settings to keep that memory tied up so the server never frees it. The result is ballooning memory consumption that can degrade performance or knock a service offline entirely.

This is a familiar shape of attack. Protocols that trade compression and multiplexing for efficiency keep producing amplification bugs, because the same mechanism that lets a client say a lot with a little also lets a malicious client cost a lot with a little. Microsoft's fix introduces a new MaxHeadersCount registry setting that caps how many headers an HTTP/2 or HTTP/3 request can carry. The guidance lives in KB5102602. Patch the binary, but also consider setting a sane header limit, since defense-in-depth against resource exhaustion is worth the few minutes it takes.

CVE-2026-45586 is a Windows Collaborative Translation Framework (CTFMON) elevation of privilege flaw that hands an attacker SYSTEM. Microsoft describes it as improper link resolution before file access, the classic "link following" pattern where a process can be tricked into operating on a file an attacker controls. BleepingComputer connected this to the "GreenPlasma" zero-day, also from Nightmare Eclipse. It is worth understanding the backdrop here. Nightmare Eclipse has released a string of Windows zero-days, including BlueHammer, MiniPlasma, RedSun, UnDefend, and YellowKey, explicitly as a protest against how Microsoft runs its bug bounty and disclosure programs. Whatever you think of that approach, the practical effect for defenders is a batch of privilege-escalation primitives published with working detail, which is exactly why these local EoP bugs deserve more attention than their "Important" rating might suggest.

Where the real volume lives

Look past the zero-days and the shape of this month's release tells a story. SharePoint accounts for a remarkable cluster of spoofing vulnerabilities, more than twenty CVEs in total, alongside a couple of remote code execution flaws. If you run SharePoint Server on-premises, this is a month to schedule a real maintenance window rather than hoping the next reboot picks things up. Spoofing flaws in collaboration platforms tend to feed phishing and content-injection attacks that are hard to spot after the fact.

Office and its components, especially Excel, Word, and Outlook, carry a thick layer of remote code execution bugs, several rated Critical. CVE-2026-45458, CVE-2026-45456, and CVE-2026-47635 are all Outlook and Word RCE flaws, the kind that can trigger through a malicious document or, in the worst case, a preview pane. User-facing RCE in Office remains one of the most reliable initial-access routes attackers have, which is why these belong in the same priority tier as the server bugs even though they require a user to open something.

The Remote Desktop Client also stands out, with a long run of RCE vulnerabilities including multiple Critical entries like CVE-2026-44801, CVE-2026-44799, and CVE-2026-48563. These are client-side, meaning the risk surfaces when a user connects to a malicious or compromised RDP host. Anyone whose support or admin workflows involve connecting outbound to varied endpoints should treat these seriously.

On the infrastructure side, there are Critical RCE flaws in Windows Hyper-V (CVE-2026-47652, CVE-2026-45607, CVE-2026-45641), the Kerberos Key Distribution Center (CVE-2026-47288), HTTP.sys (CVE-2026-47291, separate from the DoS bomb above), Active Directory Domain Services (CVE-2026-45648), and the DHCP Client (CVE-2026-44815). Hyper-V and KDC bugs are the ones that keep virtualization and identity teams up at night, since a guest-to-host escape or a domain controller compromise undoes a lot of other controls in one move.

A patching order that makes sense

With 200 flaws, nobody patches everything at once. A workable sequence: start with the BitLocker bypass on any device that leaves the building, because physical-access encryption defeat is a containment failure you cannot walk back. Move to internet-facing and identity infrastructure next, the HTTP.sys, KDC, AD DS, and Hyper-V Critical RCE flaws, since those are the load-bearing walls. Then knock out the Office and RDP client RCE bugs that ride in through users. Fold the publicly disclosed EoP flaws into the same pass, because chained with any of the above they turn a foothold into full control.

Don't let the cloud and browser fixes fall off your radar just because Microsoft counts them separately. The Android June bulletin patched 124 flaws including one actively exploited bug, Google shipped another exploited Chrome zero-day, and Veeam, Cisco, Fortinet, Ivanti, SAP, and Adobe all pushed updates this cycle. The Cisco SD-WAN zero-day and the Check Point VPN flaw used in Qilin ransomware attacks are reminders that the edge of your network is where attackers prefer to start. Patch Tuesday is the anchor, but it is not the whole month's work.

The pattern worth carrying forward from this release is that disclosure timing now drives priority as much as severity scores do. Two of this month's three zero-days are rated only Important, yet they came with public detail and a researcher motivated to make noise. CVSS tells you how bad a bug could be. Public availability of working details tells you how soon someone will try it. This month, the second signal is the one pointing at BitLocker, and that is where your first hour should go.