Microsoft Releases June 2026 Patch Tuesday Updates

Microsoft released its June 2026 Patch Tuesday updates to address approximately 200 vulnerabilities across its products. The update included patches for three publicly disclosed zero-day vulnerabilities.

None of the vulnerabilities in the June 2026 Patch Tuesday were reported as exploited in the wild prior to their patching. The company assigned an 'exploitation more likely' rating to each of the three publicly disclosed zero-day vulnerabilities.

One of the zero-day vulnerabilities, CVE-2026-49160, is a Windows HTTP.sys denial-of-service vulnerability. This issue relates to HTTP/2 protocol header compression, and its attack technique requires web servers to allocate memory resources when processing compressed headers. Researchers at the security firm Calif publicly disclosed CVE-2026-49160 to the company. The company introduced a new MaxHeadersCount registry setting and published a support bulletin to mitigate this vulnerability.

Another zero-day vulnerability, CVE-2026-50507, is a Windows BitLocker security bypass. This bypass allows attackers with physical access to retrieve encrypted data. This vulnerability may be connected to the YellowKey exploit, which was released by an online researcher operating under the aliases Chaotic Eclipse and Nightmare Eclipse. The researcher known as Chaotic Eclipse began leaking proof-of-concept code following a disagreement with the company.

CVE-2026-45586 represents a Windows Collaborative Translation Framework vulnerability. This vulnerability allows local privilege escalation to a SYSTEM level. An anonymous researcher reported CVE-2026-45586 to the company.

The company classified 33 of the patched vulnerabilities as critical severity. These critical vulnerabilities address remote code execution, privilege escalation, elevation of privilege, spoofing, information disclosure, security feature bypass, and denial-of-service issues. The company also published advisories for 360 vulnerabilities affecting third-party components present in its software.

No independent assessment was available for this report.