Microsoft’s June 2026 Patch Tuesday, released on June 10, 2026, addressed 200 security vulnerabilities across Windows, Office, Azure, and related products—the largest single Patch Tuesday release in the programme’s history, surpassing the previous record of 167 CVEs. The update includes fixes for three publicly disclosed zero-day vulnerabilities and 33 critical-severity flaws.
The June 2026 release patches vulnerabilities across all major Microsoft product families: Windows 11 and Windows Server, Microsoft Office, Exchange Server, .NET Framework, Azure services, Hyper-V, Remote Desktop Services, and HTTP.sys.
Of the 200 CVEs addressed, 33 are rated Critical, 166 are rated Important, and one is rated Moderate. Twenty-eight of the critical flaws are remote code execution vulnerabilities, four are elevation of privilege issues, and one is an information disclosure flaw.
June 2026 Patch Tuesday: Three Zero-Day Vulnerabilities
This month’s release includes patches for three publicly disclosed zero-days. None are currently known to be under active exploitation, but security researchers note that patch reversal is underway. CVE-2026-50507 – Windows BitLocker Bypass (publicly disclosed): This vulnerability, nicknamed “YellowKey” by the researcher who discovered it, allows a local attacker with physical access to a device to bypass BitLocker’s full-disk encryption and access data on an encrypted drive.
The flaw requires local access and an elevated privilege context, reducing immediate remote risk—but it is significant for organisations that rely on BitLocker to protect data on lost or stolen hardware. The severity rating is Important.
CVE-2026-49160 – HTTP/2 Denial of Service (publicly disclosed): Dubbed “HTTP/2 Bomb,” this vulnerability was publicly disclosed by researchers at offensive security firm Calif before the patch was available. An unauthenticated remote attacker can exhaust server memory by sending crafted HTTP/2 frames, causing denial of service on Windows IIS and other HTTP.sys-dependent services.
CVE-2026-45586 – Windows CTFMON Privilege Escalation (publicly disclosed): This elevation-of-privilege flaw in the Windows Collaborative Translation Framework Monitor (ctfmon.exe) grants a logged-in attacker SYSTEM-level privileges. While exploitation requires local access, it is a valuable component in multi-stage attack chains following initial compromise.
Headline Critical Vulnerability: CVE-2026-45657
Beyond the three zero-days, security professionals should prioritise CVE-2026-45657, a Windows Kernel use-after-free vulnerability with a CVSS score of 9.8. The flaw stems from improper handling of TCP/IP operations within the Windows Kernel and allows a remote, unauthenticated attacker to execute arbitrary code at the SYSTEM level with no user interaction.
Microsoft has classified it as “wormable” under certain network configurations. “CVE-2026-45657 is the kind of vulnerability that keeps defenders up at night,” said a Zero Day Initiative researcher. The CVSS 9.8 score, combined with wormable potential, means we could see mass exploitation the moment a reliable exploit is developed.
Mitigation Steps
- Deploy June 2026 cumulative updates (KB5094126 for Windows 11, KB5094127 for Windows 10) without delay.
- Prioritise CVE-2026-45657 patching on all internet-accessible Windows systems.
- Apply the IIS/HTTP.sys patch for CVE-2026-49160 on all public-facing web servers.
- Audit BitLocker-protected device inventory and apply CVE-2026-50507 patches before deploying new field hardware.
- Review CTFMON and SYSTEM privilege escalation detections in endpoint security tooling.
- Use the Microsoft Security Update Guide (msrc.microsoft.com) to filter by CVSS >= 9.0 for prioritisation.
- Validate patch deployment through automated compliance reporting within 72 hours.
