MICROSOFT released its June 2026 Patch Tuesday update, addressing 206 security flaws across its products, among them three zero‑day vulnerabilities that were already known to attackers. The update is described in the company’s advisory here and covers Windows, Azure components and related services.
The most discussed zero‑day is CVE‑2026-49160, rated CVSS 7.5, which affects the HTTP/2 protocol stack in HTTP.sys and allows a remote denial of service through specially crafted requests. Another zero‑day, CVE-2026-45586, scores CVSS 7.8 and lies in the CTFMON component, letting a local attacker elevate privileges to SYSTEM. The third, CVE-2026-50507, has a CVSS of 6.8 and concerns a BitLocker bypass that could be exploited with physical access to a device.
Among the remaining flaws, CVE-2026-48567 is rated CVSS 10 and impacts Azure HorizonDB, while CVE-2026-47291 carries a CVSS of 9.8 and affects an unspecified Microsoft service. Several other critical issues sit above CVSS 9.0, including remote code execution flaws in Microsoft Office and Windows Hyper-V. All of these vulnerabilities now have patches available through the standard update channels.
Although no threat actors have been publicly linked to these zero‑days, the flaws were disclosed before patches existed, meaning they could have been used in the wild. The update marks a record number of flaws addressed in a single Microsoft Patch Tuesday, underlining the continued pressure on vendors to manage complex code bases. Security teams are advised to treat the update as urgent, especially for systems exposed to the internet.
Defenders should prioritize applying the patches via Windows Update, WSUS or Microsoft Endpoint Configuration Manager, beginning with any server that handles HTTP or HTTPS traffic to mitigate the HTTP/2 denial of service risk. Where immediate patching is not feasible, administrators can consider disabling HTTP/2 support as a temporary measure, though this may affect performance for legitimate clients. For BitLocker, ensure that recovery keys are stored securely and that physical access to machines is strictly controlled.
Additionally, monitor network traffic for anomalous HTTP/2 frames or repeated authentication failures that might indicate exploit attempts. Verify that privileged accounts are protected with multi‑factor authentication and that least‑privilege principles are applied to reduce the impact of any potential privilege escalation. Maintaining an up‑to‑date asset inventory and testing patches in a staging environment before broad deployment will help avoid disruption while keeping systems protected.