Microsoft June 2026 Patch Tuesday Fixes Record Breaking 200+ Vulnerabilities Including 3 Zero-days

Microsoft has released one of its largest security updates of the year, addressing over 200 vulnerabilities across its software ecosystem as part of its June 2026 Patch Tuesday rollout. The record number of vulnerabilities this month smashes the previous record of 170 vulnerabilities set in Patch Tuesday October 2025 edition.

The update includes fixes for three publicly disclosed zero-day vulnerabilities and dozens of critical flaws that could pose significant risks to enterprises, government agencies, and consumers worldwide.

The June release highlights the growing complexity of defending modern Windows environments as threat actors increasingly target privilege escalation mechanisms, authentication frameworks, encryption systems, and internet-facing services. While Microsoft said none of the three zero-day vulnerabilities were known to have been actively exploited prior to patching, their public disclosure heightened concerns among security professionals who have urged organizations to prioritize deployment of the updates.

The latest security release addresses 33 vulnerabilities classified as Critical, including 28 remote code execution flaws, four elevation-of-privilege vulnerabilities, and one information disclosure issue. Vulnerabilities enabling remote code execution remain among the most dangerous categories because they can potentially allow attackers to execute malicious code without requiring physical access to a targeted system.

According to Microsoft’s advisory, the June Patch Tuesday release includes:

• 7 Denial of Service vulnerabilities
• 19 Security Feature Bypass vulnerabilities
• 27 Spoofing vulnerabilities
• 30 Information Disclosure vulnerabilities
• 55 Remote Code Execution vulnerabilities
• 65 Elevation of Privilege vulnerabilities

The most closely watched vulnerabilities in this month’s release are three zero-day flaws that became publicly known before patches were available.

Microsoft categorizes a vulnerability as a zero-day when it is either actively exploited or publicly disclosed before an official fix is released. Although there is currently no evidence that attackers exploited these vulnerabilities in the wild, security experts warn that public disclosure significantly increases the likelihood of attempted attacks.

One of the patched flaws, tracked as CVE-2026-45586, affects the Windows Collaborative Translation Framework, commonly associated with the CTFMON process responsible for managing text input, language services, and accessibility functions across Windows systems.

Microsoft described the issue as an improper link resolution vulnerability that could allow an authenticated local attacker to elevate privileges to SYSTEM level, the highest privilege level available on Windows systems.

Obtaining SYSTEM privileges effectively gives attackers unrestricted control over an affected machine, allowing them to install software, manipulate security controls, access sensitive information, and maintain persistence within a compromised environment.

While Microsoft acknowledged that the vulnerability had been publicly disclosed before patching, the company has not provided detailed information regarding how the flaw became public or whether proof-of-concept exploit code exists.

Privilege escalation vulnerabilities remain a crucial component of modern attack chains, often enabling attackers who have already gained initial access through phishing campaigns, malware infections, or credential theft to expand their control over a targeted environment.

Another notable vulnerability addressed this month is CVE-2026-49160, a denial-of-service flaw affecting Microsoft’s HTTP.sys component, a kernel-level driver used by Windows web servers and numerous applications that rely on HTTP communications.

The vulnerability has been nicknamed the “HTTP/2 Bomb” by researchers who discovered it.

Researchers from offensive security company Calif identified a method of exploiting weaknesses in HTTP/2 header compression and resource allocation mechanisms. The attack allows malicious actors to send relatively small requests that force servers to allocate disproportionately large amounts of memory.

The imbalance can rapidly exhaust system resources, potentially causing service degradation, application instability, or complete outages.

Researchers found that attackers could further intensify the impact by manipulating HTTP flow-control settings, preventing servers from reclaiming allocated memory and prolonging resource exhaustion.

The discovery raises broader concerns about protocol-level attacks targeting modern internet infrastructure. As HTTP/2 and HTTP/3 continue to replace legacy web communication standards, security researchers have increasingly focused on identifying implementation weaknesses capable of generating asymmetric resource consumption.

To mitigate the threat, Microsoft introduced a new registry setting called “MaxHeadersCount,” allowing administrators to limit the number of headers accepted in HTTP/2 and HTTP/3 requests. Security teams are being encouraged to review deployment guidance and consider implementing the additional hardening measure alongside patch deployment.

Industry experts note that organizations operating public-facing web applications, cloud services, API platforms, and enterprise gateways should prioritize testing and deployment of the fix due to the potential for remote disruption.

Perhaps the most controversial vulnerability addressed this month is CVE-2026-50507, a security feature bypass affecting Microsoft’s BitLocker full-disk encryption technology.

Microsoft stated that the flaw could allow an attacker with physical access to bypass BitLocker protections and gain access to encrypted data.

Although Microsoft’s advisory provided limited technical details, security researchers have linked the update to the previously disclosed “YellowKey” vulnerability, which emerged publicly in May.

According to reports, YellowKey allowed attackers to leverage specially crafted files placed on a USB device or EFI partition before booting into the Windows Recovery Environment. Under specific conditions, pressing the CTRL key could trigger an unrestricted command shell, potentially exposing encrypted drives that relied solely on Trusted Platform Module (TPM) protection.

The vulnerability primarily affected systems configured with TPM-only BitLocker authentication, a common deployment model across many enterprise and consumer environments.

Before the release of today’s patch, Microsoft had advised organizations to strengthen protection by enabling TPM-plus-PIN authentication, adding an additional verification step during system startup.

The incident has renewed debate within the cybersecurity community regarding physical security assumptions and the resilience of full-disk encryption implementations against increasingly sophisticated attack techniques.

The BitLocker issue also highlights ongoing tensions between independent security researchers and major technology vendors.

Researchers familiar with the disclosure process believe the patched vulnerability corresponds to findings released by cybersecurity researcher Nightmare Eclipse, who has recently published several high-profile Windows security flaws, including attacks known as BlueHammer, MiniPlasma, RedSun, and UnDefend.

The disclosures have attracted significant attention throughout the security industry because they were accompanied by criticism of Microsoft’s vulnerability disclosure and bug bounty processes.

Industry observers note that disagreements between researchers and software vendors have become increasingly common as vulnerability research grows more sophisticated and organizations seek greater transparency regarding patch timelines and remediation efforts.

Beyond the three publicly disclosed zero-days, security teams face the challenge of evaluating and deploying fixes for nearly 200 vulnerabilities across diverse environments.

Large enterprises often require extensive testing before deploying patches to production systems due to concerns about compatibility, operational disruption, and business continuity.

However, delaying deployment can significantly increase organizational risk. Once security updates become available, threat actors frequently analyze patches to identify underlying vulnerabilities and develop exploit code targeting unpatched systems.

This practice, often referred to as “patch diffing,” has become a common technique among both cybercriminal groups and state-sponsored threat actors.

Organizations should prioritize systems exposed to the internet, domain controllers, administrative workstations, and servers running critical business applications.

Particular attention should be paid to environments using:

• Windows Server deployments exposed to web traffic
• BitLocker-protected devices relying solely on TPM authentication
• Enterprise systems where privilege escalation could facilitate lateral movement
• Public-facing applications utilizing HTTP.sys
• High-value systems storing sensitive corporate or government data

Experts also recommend reviewing security baselines, enabling multifactor authentication, restricting administrative privileges, and maintaining offline backups as complementary measures alongside patch deployment.

The June 2026 Patch Tuesday release underscores the increasingly complex threat landscape facing Windows administrators and enterprise defenders. With 200 vulnerabilities addressed, including three publicly disclosed zero-days and dozens of critical flaws, Microsoft’s latest security update serves as another reminder that patch management remains one of the most important defenses against modern cyber threats.

As attackers continue searching for opportunities to exploit privilege escalation pathways, encryption weaknesses, and network-facing services, organizations that fail to maintain timely patching practices may find themselves increasingly exposed to operational disruption, data theft, and ransomware attacks in the months ahead.

The full list of CVEs addressed by Microsoft is available HERE