Microsoft June 2026 Patch Tuesday fixes 6 zero-days, 200 flaws

▼ Summary
– Microsoft’s June 2026 Patch Tuesday fixed 200 flaws, including 33 critical vulnerabilities and six zero-days, five publicly disclosed and one actively exploited.
– The actively exploited zero-day, CVE-2026-42897, is a Microsoft Exchange Server spoofing vulnerability that can execute JavaScript in a target’s browser via a crafted email.
– Two publicly disclosed zero-days fixed were the “GreenPlasma” (CVE-2026-45586) and “Mini-Plasma” (CVE-2020-17103) elevation of privilege flaws, which grant SYSTEM privileges locally.
– Two other publicly disclosed zero-days were BitLocker security feature bypass flaws: “YellowKey” (CVE-2026-45585) and the “bitskrieg” vulnerability (CVE-2026-50507), both allowing local attackers to access encrypted drives.
– The patch also addressed a publicly disclosed HTTP/2 denial-of-service flaw (CVE-2026-49160), called “HTTP/2 Bomb,” which can cause memory exhaustion on servers.
Microsoft’s June 2026 Patch Tuesday is now live, bringing a massive wave of security fixes that address 200 vulnerabilities, including six zero-day flaws,five of which were publicly disclosed and one already under active exploitation. This release marks one of the busiest Patch Tuesdays in recent memory, with 33 bugs classified as Critical, primarily involving remote code execution, alongside dozens of other severity levels.
Among the 200 vulnerabilities patched today, the breakdown spans multiple categories: 65 Elevation of Privilege issues, 55 Remote Code Execution flaws, 30 Information Disclosure bugs, 27 Spoofing vulnerabilities, 19 Security Feature Bypass issues, and 7 Denial of Service vulnerabilities. Notably, these counts only include flaws released by Microsoft today, excluding earlier fixes for products like Mariner, Azure HorizonDB, and various Copilot services. Additionally, 360 Chromium-based Edge flaws fixed by Google this month are not part of this roundup.
For users on Windows 11, the KB5094126 and KB5093998 cumulative updates are available, while Windows 10 users can find the KB5094127 extended security update.
This month’s zero-day fixes are particularly noteworthy. The CVE-2026-45586 vulnerability in the Windows Collaborative Translation Framework (CTFMON) allows an attacker to gain SYSTEM privileges via improper link resolution. Known as the “GreenPlasma” flaw, it was disclosed by researcher Nightmare Eclipse as part of a broader protest against Microsoft’s bug bounty policies. Similarly, CVE-2026-45585, the “YellowKey” BitLocker bypass, lets local attackers access encrypted drives by booting into the Windows Recovery Environment with a specially crafted USB drive.
Another critical fix addresses CVE-2026-49160, an HTTP/2 denial-of-service flaw dubbed “HTTP/2 Bomb,” disclosed by researchers at Calif.io. This attack exploits HTTP/2 header compression to force servers into disproportionate memory consumption. Microsoft has introduced a new MaxHeadersCount registry setting to help mitigate this issue.
Two additional BitLocker bypasses were also patched: CVE-2026-50507, believed to fix the “bitskrieg” vulnerability disclosed by security expert Jonas Lykkegaard, and CVE-2026-45585, which addresses the YellowKey flaw. The bitskrieg fix may cause some devices to display an error about missing BitLocker keys, but a simple WinRE toggle can resolve it.
The CVE-2020-17103 “Mini-Plasma” elevation of privilege vulnerability, originally reported by Google Project Zero researcher James Forshaw in 2020, has also been fully addressed. This flaw was thought to be fixed years ago but remained exploitable until now.
On the actively exploited front, CVE-2026-42897 is a Microsoft Exchange Server spoofing vulnerability that can execute JavaScript in a victim’s browser when they open a specially crafted email in Outlook Web Access. Microsoft is still working on a full update but has deployed mitigations through the Exchange Emergency Mitigation Service.
Beyond Microsoft, other vendors have also released updates this month, including Adobe, Apple, Cisco, and Google. For a complete list of all resolved vulnerabilities, including detailed descriptions and affected systems, refer to the full report.
(Source: BleepingComputer)