Patch Tuesday June 2026: Microsoft Fixes 200 Security Flaws, Including 3 Zero-Days

Microsoft’s June 2026 Patch Tuesday release is a busy one: 200 security flaws have been fixed across Microsoft products and services. Among them are 3 already-disclosed zero-day vulnerabilities. Here’s what you need to know.

Like many other vendors, Microsoft is seeing a clear trend: using AI to find security flaws. The company’s Redmond teams also rely on the multi-agent system called MDASH to carry out this research. As a result, the Patch Tuesday released on Tuesday, June 9, 2026, includes a large number of security issues: 200 in total, including 33 critical vulnerabilities. That is a lot. I would even say more than usual.

Here is the list of critical security flaws first:

• Active Directory Domain Services (AD DS): CVE-2026-45648
• Windows - Kerberos: CVE-2026-47288
• Remote Desktop Client: CVE-2026-42985, CVE-2026-47289, CVE-2026-47654, CVE-2026-42992, CVE-2026-44801, CVE-2026-44799, CVE-2026-48563
• Hyper-V: CVE-2026-45641, CVE-2026-47652, CVE-2026-45607
• Windows - Cryptographic Services: CVE-2026-44810, CVE-2026-42987
• Windows - DHCP Client: CVE-2026-44815
• Windows - HTTP.sys: CVE-2026-47291
• Windows Media: CVE-2026-48574
• Windows Win32K - GRFX: CVE-2026-44812, CVE-2026-44803
• Windows Kernel: CVE-2025-10263, CVE-2026-45657
• Microsoft Azure Attestation: CVE-2026-33828
• Microsoft Azure Kubernetes Service: CVE-2026-32193
• Microsoft Office: CVE-2026-45463, CVE-2026-45474, CVE-2026-45472, CVE-2026-45458, CVE-2026-45460, CVE-2026-47635, CVE-2026-45456, CVE-2026-45461
• Linux - MANA Driver: CVE-2026-45476
• Nuance PowerScribe: CVE-2026-26142

Ouch, that is a really large number of critical security flaws. What surprises me most is the discovery of 11 security flaws, including 7 critical ones, in Windows Remote Desktop Client alone! For several of these vulnerabilities, remote code execution is involved: if a user connects via RDP to a server controlled by an attacker, the attacker could execute code remotely on the user’s machine.

June 2026 Zero-Day Vulnerabilities

Let’s take a moment to look at the three zero-day vulnerabilities patched by Microsoft. These are vulnerabilities that have already been disclosed but not yet exploited. As we will see, these are flaws that have already made headlines in recent weeks....

CVE-2026-45586 a.k.a. GreenPlasma

The first zero-day is CVE-2026-45586, a vulnerability that allows privilege escalation on Windows via CTFMON. When an attacker exploits this flaw, they can obtain SYSTEM privileges.

Microsoft explains: "An incorrect link resolution before file access in Windows Collaborative Translation Framework allows an authorized attacker to elevate local privileges,".

This security update actually fixes the GreenPlasma vulnerability, recently disclosed by researcher Nightmare Eclipse. However, Microsoft did not credit him, as it states the issue was reported by an anonymous researcher. It must be said that things have been heating up recently between the two parties, and Microsoft even went as far as removing Nightmare Eclipse’s GitHub account (it is back, though, and I will cover that in another article).

CVE-2026-50507 a.k.a. YellowKey

The second zero-day is CVE-2026-50507, and once again it brings me back to Nightmare Eclipse. This security update corresponds to the YellowKey vulnerability he discovered in BitLocker. It allows BitLocker to be bypassed on Windows machines and therefore grants access to data normally protected by encryption.

According to Microsoft: "A security feature bypass vulnerability in Windows BitLocker allows an unauthorized attacker to bypass a security feature via physical attack,". Indeed, physical access is required to exploit this vulnerability, notably by using media such as a USB drive.

The issue affects systems where BitLocker is enabled and configured to use TPM-only protection to unlock the encrypted drive. Microsoft had previously shared temporary mitigation steps, mentioned in this article. This includes adjusting the unlock method by adding a PIN in addition to TPM.

CVE-2026-49160 a.k.a. HTTP/2 Bomb

The third zero-day is CVE-2026-49160, nicknamed HTTP/2 Bomb, and it is also already known. It can trigger a denial of service on web servers, whether Apache2, Nginx, or IIS, in less than a minute. For the record, this vulnerability was discovered by Quang Luong from Calif using the Codex AI.

As a result, Windows is also affected, and Microsoft had to integrate a patch into HTTP.sys through these new updates. Simply installing this new patch is enough to protect you from this vulnerability.

In addition, Microsoft introduced a new registry key: "Microsoft also introduced a new MaxHeadersCount registry setting. This setting allows you to limit the number of headers included in HTTP/2 and HTTP/3 requests accepted by the HTTP server. For more information, see KB5102602".

Florian Burnel Co-founder of IT-Connect

Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

See Full Bio