Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flaws

Today is Microsoft’s June 2026 Patch Tuesday, with security updates for 200 flaws, including five publicly disclosed zero-day vulnerabilities and one actively exploited in attacks.

This Patch Tuesday addresses 33 “Critical” vulnerabilities, 28 of which are remote code execution, 4 are elevation of privilege, and 1 is an information disclosure flaw.

The number of bugs in each vulnerability category is listed below:

• 65 Elevation of Privilege Vulnerabilities
• 19 Security Feature Bypass Vulnerabilities
• 55 Remote Code Execution Vulnerabilities
• 30 Information Disclosure Vulnerabilities
• 7 Denial of Service Vulnerabilities
• 27 Spoofing Vulnerabilities

When GeekFeed reports on Patch Tuesday security updates, we only count those released by Microsoft today.

Therefore, the number of flaws does not include flaws in Mariner, Azure HorizonDB, Microsoft Copilot, Copilot Chat, M365 Copilot, Microsoft Exchange Online, and Microsoft Graph that were fixed by Microsoft earlier this month.

There were also a massive 360 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded from this Patch Tuesday roundup.

To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5094126 & KB5093998 cumulative updates and the Windows 10 KB5094127 extended security update.

Microsoft patches 5 zero-days

This month’s Patch Tuesday fixes six zero-day vulnerabilities, with five publicly disclosed and one exploited in attacks.

Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.

The zero-days addressed during this month’s Patch Tuesday are:

CVE-2026-45586 – Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability

Microsoft has patched a publicly disclosed Windows CTFMON vulnerability that grants SYSTEM privileges.

“Improper link resolution before file access (‘link following’) in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally,” explains Microsoft.

Microsoft credited the flaw to an anonymous researcher, but GeekFeed has learned that this is a fix for the “GreenPlasma” zero-day flaw that was disclosed by security researcher Nightmare Eclipse.

GreenPlasma is a privilege escalation vulnerability that could be exploited to obtain a shell with SYSTEM permissions.

Nightmare Eclipse has released a wave of Windows zero-day vulnerabilities, including BlueHammer, RedSun, UnDefend, and YellowKey (also fixed today), in protest of Microsoft’s handling of its bug bounty and vulnerability disclosure programs.

CVE-2026-49160 – HTTP.sys Denial of Service Vulnerability

Microsoft has patched a publicly disclosed HTTP/2 denial-of-service flaw, called “HTTP/2 Bomb,” that researchers at the offensive security firm Calif. disclosed this month.

“Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network,” explains Microsoft.

The HTTP/2 Bomb attack is a denial-of-service technique that abuses how the HTTP/2 protocol compresses and manages web traffic headers, allowing attackers to send very small amounts of data that force servers to allocate disproportionately large amounts of memory.

Researchers found the attack could dramatically increase memory usage on affected servers. Attackers can also keep the memory tied up by manipulating flow-control settings, preventing the server from freeing resources and potentially causing performance issues or outages.

To help mitigate this attack, Microsoft has introduced a new “MaxHeadersCount” registry setting to limit the number of headers in a request, along with a support bulletin on how to use it.

“Microsoft also introduced a new MaxHeadersCount registry setting. This setting allows you to limit the number of headers included in HTTP/2 and HTTP/3 requests that are accepted by the HTTP server. For more information, see KB5102602,” continued Microsoft.

This flaw was attributed to Quang Luong and Codex of Calif.io.

CVE-2026-45585 – Windows BitLocker Security Feature Bypass Vulnerability

Microsoft has patched a publicly disclosed Windows BitLocker bypass flaw known as “YellowKey” that allowed local attackers to gain access to an encrypted drive.

“A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data,” explains Microsoft.

WWhile Microsoft attributed the flaw to an anonymous researcher, Nightmare Eclipse also publicly disclosed it last month.

The YellowKey vulnerability could be exploited by placing specially crafted files on a USB drive or EFI partition and booting into the Windows Recovery Environment (WinRE), where holding down the CTRL key triggered a command shell with unrestricted access to encrypted BitLocker-protected drives.

The flaw primarily affects systems that use TPM-only BitLocker protection on Windows 11 and Windows Server 2022/2025 devices. Microsoft previously shared temporary mitigations for the issue, including enabling TPM+PIN authentication instead of relying solely on TPM protection.

Microsoft previously shared mitigations for the flaw in May, but it has been patched as part of this month’s security updates.

CVE-2026-50507 – Windows BitLocker Security Feature Bypass Vulnerability

Microsoft has patched another BitLocker bypass flaw that allows local attackers to access encrypted drives.

“A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data,” explains Microsoft.

While Microsoft did not attribute this flaw to anyone, this security update is believed to fix a BitLocker zero-day vulnerability known as “bitskrieg.”

Last Friday, Windows security expert Jonas Lykkegaard disclosed the bitskrieg BitLocker bypass vulnerability on X.

Will Dormann, principal vulnerability analyst at Tharros, now says that Microsoft has fixed this vulnerability as part of the security update for CVE-2026-50507.

However, Dormann warns that the fix could cause Windows devices to display an error stating, “A required file couldn’t be accessed because your BitLocker key wasn’t loaded correctly.”

If you receive this error, Dormann says you can fix it by turning WinRE on and off in an elevated CMD prompt using these commands:

reagentc /disable
reagentc /enable

CVE-2020-17103 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Microsoft fixed a publicly disclosed “Mini-Plasma” zero-day vulnerability that gives SYSTEM privileges.

“To comprehensively address the vulnerability identified by CVE-2020-17103 and recently publicly referred to as “Mini-Plasma” Microsoft recommends installing the June 2026 updates for your Windows operating systems,” explains Microsoft.

This flaw was also disclosed by Nightmare Eclipse, who said it was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.

At the time, the flaw was assigned the CVE-2020-17103 identifier and reportedly fixed in December 2020. However, Nightmare Eclipse said that the flaw was still exploitable, and it was unclear if Microsoft never fully patched the issue or the patch was silently reintroduced at some point.

The actively exploited vulnerability is:

CVE-2026-42897 – Microsoft Exchange Server Spoofing Vulnerability

Microsoft fixed an actively exploited Microsoft Exchange Server spoofing vulnerability that can execute JavaScript in a target’s browser.

“An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context,” explains Microsoft.

Microsoft says they are still working on an update for this vulnerability, but are pushing out mitigations through the Exchange Emergency Mitigation Service, which should be enabled by defaul

Microsoft has not shared who disclosed this vulnerability and how it was exploited.

Recent updates from other companies

Other vendors who released updates or advisories in May 2026 include:

• Acer warned about two maximum-severity unpatched flaws in Acer Wave 7 Routers that could be used to hijack routers.
• Adobe released security updates for Experience Manager, InDesign, InCopy, Substance 3D Sampler, Dreamweaver, Reader, ColdFusion, and more.
• Check Point released security updates for a Remote Access VPN and Mobile Access flaw that was exploited in Qilin ransomware attacks.
• Cisco released security updates for numerous products, including a Unified CM flaw with a PoC exploit and an SD-WAN zero-day exploited in attacks.
• Fortinet released security updates for numerous flaws in FortiOS, FortiSandbox, and FortiProxy.
• Google released Android’s June security bulletin, fixing 124 flaws and one actively exploited vulnerability. The company also fixed a new Google Chrome zero-day that was exploited in attacks.
• Ivanti released security updates for vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) and Ivanti Sentry, with none exploited in the wild.
• Ubiquiti released security updates for three vulnerabilities with maximum severity ratings that could lead to remote code execution. 
• SAP released the June security updates, which include fixes for four critical flaws.
• Veeam released security updates for a critical Backup & Replication security flaw that can be exploited to gain remote code execution (RCE) on domain-joined backup servers.

The June 2026 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the May 2026 Patch Tuesday updates, excluding flaws fixed before today.

6/10/26: Updated article to include three more zero-days fixed in the June 2026 Patch Tuesday updates. Also, corrected the information on CVE-2026-45585, which is actually for the YellowKey flaw.