Microsoft Patches 200 Vulnerabilities in June 2026 Patch Tuesday, Including 3 Public Zero-Days

Microsoft has released its June 2026 Patch Tuesday updates, fixing 200 security vulnerabilities across Windows and other products, according to BleepingComputer. The release includes three publicly disclosed zero-day vulnerabilities, although Microsoft says none of them have been actively exploited in attacks.

The June update is one of the largest Patch Tuesday releases in recent months and addresses 33 Critical vulnerabilities. According to Microsoft’s breakdown, 28 of the Critical flaws are remote code execution vulnerabilities, four are elevation of privilege bugs, and one is an information disclosure issue.

Windows Collaborative Translation Framework Zero-Day

One of the publicly disclosed zero-days is CVE-2026-45586, an elevation of privilege vulnerability in the Windows Collaborative Translation Framework.

Microsoft says the flaw stems from improper link resolution before file access. A local authenticated attacker could exploit the issue to elevate privileges and obtain SYSTEM-level access on a vulnerable machine.

The company credited an anonymous researcher with reporting the vulnerability.

Security researchers believe CVE-2026-45586 may be the patch for the “GreenPlasma” zero-day that security researcher Nightmare Eclipse previously disclosed publicly.

BitLocker Security Feature Bypass Vulnerability

Microsoft also patched CVE-2026-50507, a Windows BitLocker security feature bypass vulnerability.

Details about exploitation remain limited, but Microsoft credited an anonymous researcher for reporting the flaw. Security researchers speculate this vulnerability may correspond to the previously disclosed “YellowKey” bug, which Nightmare Eclipse claimed could bypass certain BitLocker protections.

The patch arrives shortly after Nightmare Eclipse published the proof-of-concept code for the RoguePlanet Microsoft Defender exploit, which recently attracted attention from security researchers and defenders.

HTTP/2 Bomb Denial of Service Vulnerability

The third publicly disclosed zero-day is CVE-2026-49160, an HTTP.sys denial of service vulnerability known as “HTTP/2 Bomb.”

According to Microsoft, the flaw results from uncontrolled resource consumption in HTTP/2 processing. An unauthenticated remote attacker could exploit the issue to cause denial of service conditions on affected systems.

The vulnerability was disclosed by researchers Quang Luong and Codex from offensive security firm Calif.

To help mitigate similar attacks, Microsoft introduced a new registry setting called MaxHeadersCount. The setting allows administrators to limit the number of headers accepted in HTTP/2 and HTTP/3 requests, reducing exposure to excessive resource consumption attacks.

Additional Windows Updates

Alongside the security fixes, Microsoft also released several non-security cumulative updates.

Windows 11 users received KB5094126 and KB5093998, while Windows 10 systems enrolled in the Extended Security Updates program received KB5094127.

Organizations are encouraged to test and deploy the June updates as soon as possible, particularly given the number of critical remote code execution vulnerabilities addressed in this month’s release.