Skip to content
hacker_posts

Microsoft June 2026 Patch Tuesday: 3 publicly disclosed zero-days

Microsoft's June 9 Patch Tuesday fixes around 200 CVEs and 33 Critical flaws, including publicly disclosed zero-days in BitLocker, HTTP.sys (HTTP/2 Bomb) and CTFMON.

Published 5 min read
cvemicrosoftpatch-tuesdayzero-dayadvisory

Microsoft shipped its June 9, 2026 security update on Patch Tuesday — the largest single release in the programme's history at roughly 200 CVEs, with 33 rated Critical (28 of them remote code execution). Three of the fixes close publicly disclosed zero-days: CVE-2026-50507 (BitLocker security feature bypass), CVE-2026-49160 (HTTP.sys denial of service — the IIS-side variant of the HTTP/2 Bomb technique published last week), and CVE-2026-45586 (CTFMON elevation of privilege to SYSTEM). The primary source is the MSRC Security Update Guide; independent roundups at Tenable (count: 198), BleepingComputer, and Help Net Security corroborate the zero-day list. Counts vary across outlets — Tenable totals 198; BleepingComputer and most secondaries round to 200 — because some sources fold in republished Chromium and Edge advisories.

The three publicly disclosed zero-days

None of the three are flagged as exploited in the wild in Microsoft's advisories. All three were disclosed to Microsoft (or independently published) before the patch shipped — that's what "publicly disclosed" means under Microsoft's taxonomy. Treat them as patch-now anyway: public disclosure is the trigger for opportunistic weaponisation.

  • CVE-2026-50507 — Windows BitLocker security feature bypass. A local attacker with physical access can boot a target into Windows Recovery Environment (WinRE) and use specially crafted files on a USB drive or EFI partition to read data off a BitLocker-encrypted volume. Hits laptops, lost-and-found assets, and any device where the threat model presumes pre-boot encryption is the last line of defence.
  • CVE-2026-49160 — HTTP.sys DoS via crafted HTTP/2 frames. This is Microsoft's fix for the HTTP/2 Bomb class of bug we covered last week — see our prior write-up on the nginx/Apache variant CVE-2026-49975. The Microsoft-side variant lets an unauthenticated remote attacker exhaust server memory against IIS and any service riding HTTP.sys. At original disclosure on June 2, Microsoft was listed as unpatched; the June 9 update closes that gap.
  • CVE-2026-45586 — Windows CTFMON elevation of privilege. CTFMON is the Collaborative Translation Framework process that handles input-method, handwriting and speech. Improper link resolution before file access lets a local user escalate to SYSTEM. Standard local-priv-esc shape; it lands in offensive tooling within days of any Patch Tuesday with this profile.

Critical surface beyond the zero-days

Microsoft's count of 33 Critical vulnerabilities is unusually high for a single month — 28 are remote code execution, four are elevation of privilege, one is information disclosure. The bulk of the RCEs sit in surfaces that defenders should already be treating as Tier-0:

  • Windows Kernel — at least one critical use-after-free reachable via specially crafted network traffic.
  • Hyper-V — guest-to-host RCE class flaws, the kind of patch you ship to virtualisation hosts before workstations.
  • Remote Desktop Services — multiple RCE fixes, including an unauthenticated path.
  • Microsoft Office — preview-pane RCE chain (the recurring "open the email and it triggers" class).

The June set also overlaps with Adobe's June 2026 Security Bulletin, shipped the same Tuesday — coordinate prioritisation if you operate Acrobat or Experience Manager alongside Windows.

Action checklist

  1. Push the June 2026 cumulative update on Tier-0 first. Hyper-V hosts, RDS gateways, Exchange, internet-exposed IIS — patch within the next business day. Hyper-V and RDS critical-RCE classes warrant the emergency-change track, not the next maintenance window.
  2. Patch IIS / HTTP.sys hosts for CVE-2026-49160 explicitly. If you cannot patch immediately, disable HTTP/2 at the IIS edge (disableHttp2 site binding) or front the listener with a patched nginx 1.29.8. The PoC pattern from the original HTTP/2 Bomb disclosure works against the unpatched Microsoft stack.
  3. Validate WinRE boot media controls for CVE-2026-50507. Confirm BitLocker recovery key custody, enforce secure boot + TPM PIN on laptops where the threat model includes physical loss, and consider re-imaging fleet hot spares whose recovery partitions were last touched before June 10.
  4. Inventory CTFMON exposure. CVE-2026-45586 is local priv-esc, so the question is: which user-facing endpoints in your estate are still running unpatched Windows? Multi-user terminal servers and shared workstations are the highest blast radius.
  5. Re-run your authenticated vulnerability scan against the affected version manifest. The Tenable, Qualys and Rapid7 plugin sets are available for the June release; expect the false-negative rate to drop sharply once those scanners pick up the updated KB-to-CVE map.

Context

This is the third consecutive Patch Tuesday with a record-breaking CVE count, and the second in two months to ship a critical Kernel use-after-free reachable from the network. The trendline is consistent across the industry: monthly Microsoft releases of 100–150 CVEs were normal in 2023–24, 150–200 became normal in 2025, and 200+ is now the new ceiling. Defenders who size patch-cycle headcount against 2023 volumes are now structurally behind.

The HTTP/2 Bomb strand is also worth noting in its own right. The original Apache and nginx variants — CVE-2026-49975 and the nginx 1.29.8 fix — landed on June 2. Microsoft, Envoy and Cloudflare Pingora were listed as unpatched then. Microsoft is now in; Envoy and Pingora are still outstanding as of this post. If your edge runs either, the seven-day window between Calif's public PoC and the Microsoft fix should be the upper bound on how long you wait — Envoy at minimum needs a temporary HTTP/2 disable or a WAF rule capping per-connection header state.

Related stories