Back

Microsoft June 2026 Patch Tuesday Addresses 200 Vulnerabilities, Including 3 Zero-Days

Severity: High (Score: 74.0)

Sources: msrc.microsoft.com, Bleepingcomputer, Myabt, Tenable, Isc.Sans.Edu

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: microsoft, june, patch, tuesday, vulnerabilities, copilot, security

Severity indicators: vulnerabilities, ot

Summary

On June 9, 2026, Microsoft released its largest Patch Tuesday update, addressing 200 vulnerabilities, including three zero-day flaws. Among the critical vulnerabilities are CVE-2026-45586, an elevation of privilege vulnerability in Windows Collaborative Translation Framework, and CVE-2026-49160, a denial of service vulnerability affecting HTTP.sys. Microsoft also disclosed CVE-2026-45497 and CVE-2026-48579 earlier, both of which were fixed server-side before public disclosure. The update includes 33 critical vulnerabilities, with a significant portion related to remote code execution. Financial institutions using Microsoft 365 Copilot and Exchange Online are particularly affected, as these systems handle sensitive data. Organizations are urged to review the implications of these vulnerabilities, even when no immediate action is required for the patched flaws. The update reflects a proactive approach to security, addressing potential risks before they can be exploited. Key Points: • Microsoft's June 2026 Patch Tuesday fixed 200 vulnerabilities, including three zero-days. • CVE-2026-45586 and CVE-2026-49160 are critical flaws that could lead to privilege escalation and denial of service. • Financial institutions using Microsoft 365 Copilot and Exchange Online must assess their exposure despite no immediate patches needed.

Detailed Analysis

**Impact** Microsoft customers worldwide across multiple sectors, including financial institutions using Microsoft 365 Copilot and Exchange Online, are affected by this update. The June 2026 Patch Tuesday addresses 198 vulnerabilities, including 33 critical flaws and three zero-day vulnerabilities, impacting Windows clients and servers, Remote Desktop Client, BitLocker, and HTTP.sys components. Data at risk includes encrypted drives, email, documents, and sensitive financial workflows, with potential operational disruptions due to denial-of-service attacks and privilege escalations. **Technical Details** Exploited CVEs include three zero-days: CVE-2026-45586 (Windows Collaborative Translation Framework elevation of privilege), CVE-2026-49160 (HTTP.sys denial of service via HTTP/2 header manipulation), and CVE-2026-50507 (Windows BitLocker security feature bypass). Attack vectors involve local privilege escalation, network-based denial of service, and physical access attacks. Remote Desktop Client vulnerabilities allow remote code execution via heap-based buffer overflow triggered by connecting to attacker-controlled servers. The HTTP/2 Bomb DoS exploits excessive header processing, with a new MaxHeadersCount registry setting introduced to mitigate this. **Recommended Response** Apply all June 2026 Patch Tuesday updates immediately, prioritizing patches for the three zero-day vulnerabilities and critical Remote Desktop Client flaws. Configure the MaxHeadersCount registry setting on Windows clients and servers to limit HTTP/2 and HTTP/3 request headers and mitigate DoS risks. Monitor Microsoft 365 tenant activity for unusual access or command injection attempts, especially in Copilot and Exchange Online environments, as these were remediated server-side with no customer patch required. No specific IOCs were provided; focus on patching and configuration hardening.

Source articles (10)

  • Microsoft 365 Copilot RCE: June 2026 Bank Security Guide — Myabt · 2026-06-08
    Microsoft 365 Copilot now sits inside the daily workflow of loan officers, underwriters, and compliance teams at the institutions that rolled it out over the past year. So when Microsoft disclosed a r…
  • Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs ( CVE-2026-49160, CVE-2026-50507) — Tenable · 2026-06-09
    Microsoft addresses 198 CVEs in the largest Patch Tuesday release, including three zero-days. Microsoft patched 198 CVEs in its June 2026 Patch Tuesday release, with 32 rated critical and 166 rated as…
  • Microsoft Patch Tuesday June 2026 – 198 Vulnerabilities Fixed, Including 3 Zero — Cybersecuritynews · 2026-06-09
    Microsoft has released its June 2026 Patch Tuesday security updates, addressing a hefty 198 vulnerabilities across its product ecosystem. The June rollout, published on June 9, 2026, stands out not on…
  • Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th) — Isc.Sans.Edu · 2026-06-09
    Microsoft today released patches for 204 vulnerabilities. 38 of these vulnerabilities are considered critical, and three have been disclosed before today. Six of the vulnerabilities affect Microsoft c…
  • Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws — Bleepingcomputer · 2026-06-09
    Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws and three publicly disclosed zero-day vulnerabilities. This Patch Tuesday addresses 33 "Critical" vulnerabilities, 28…
  • Control The Maximum Number Of Http 2 And Http 3 Request Headers In Windows Clients And Servers 084da156 7a99 4abf B759 F973c35eded3 — support.microsoft.com · 2026-06-09
    HTTP headers are name-value pairs included in HTTP requests and responses. In Windows environments, client components such as WinHTTP and WinINet, and server components such as IIS, use headers to exc…
  • CVE-2026-45586 - Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability — msrc.microsoft.com · 2026-06-09
  • CVE-2026-49160 - HTTP.sys Denial of Service Vulnerability — msrc.microsoft.com · 2026-06-09
  • CVE-2026-50507 — msrc.microsoft.com · 2026-06-09
  • CVE-2026-49160 — msrc.microsoft.com · 2026-06-09

Timeline

  • 2026-04-14 — CVE-2026-33825 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-19 — CVE-2026-45585 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-41091 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-04 — CVE-2026-45497 and CVE-2026-48579 disclosed: Microsoft disclosed two vulnerabilities in Microsoft 365 Copilot and Exchange Online, both fixed before public notice.
  • 2026-06-04 — CVE-2026-48567 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-09 — Microsoft June 2026 Patch Tuesday released: Microsoft addressed 200 vulnerabilities, including three zero-days, in its largest Patch Tuesday to date.
  • 2026-06-09 — CVE-2026-45586 and CVE-2026-49160 patched: Microsoft patched critical vulnerabilities in Windows CTFMON and HTTP.sys, both publicly disclosed prior to the patch.
  • 2026-06-09 — MaxHeadersCount registry setting introduced: Microsoft introduced a registry setting to limit HTTP/2 and HTTP/3 request headers to mitigate denial-of-service attacks.
  • 2026-06-09 — CVE-2026-42985 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-09 — CVE-2026-8863 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2025-10263
  • CVE-2026-33825
  • CVE-2026-41091
  • CVE-2026-42909
  • CVE-2026-42913
  • CVE-2026-42985
  • CVE-2026-42992
  • CVE-2026-42993
  • CVE-2026-44799
  • CVE-2026-44801
  • CVE-2026-45497
  • CVE-2026-45585
  • CVE-2026-45586
  • CVE-2026-45648
  • CVE-2026-47289
  • CVE-2026-47291
  • CVE-2026-47653
  • CVE-2026-47654
  • CVE-2026-48563
  • CVE-2026-48567
  • CVE-2026-48579
  • CVE-2026-49160
  • CVE-2026-50507
  • CVE-2026-8863

Related entities

  • Chaotic Eclipse (Apt Group)
  • Nightmare Eclipse (Apt Group)
  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Microsoft (Company)
  • Outlook (Company)
  • CWE-120 - Classic Buffer Overflow (Cwe)
  • Cwe-122 - Heap-based Buffer Overflow (Cwe)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-78 - OS Command Injection (Cwe)
  • calif.io (Domain)
  • here.as (Domain)
  • sans.edu (Domain)
  • Financial (Industry)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • Active Directory Domain Services (Platform)
  • Azure HorizonDB (Platform)
  • BitLocker (Platform)
  • Chromium (Platform)
  • Ctfmon (Platform)
  • Edge (Platform)
  • Exchange Online (Platform)
  • HTTP/2 (Platform)
  • Http/3 (Platform)
  • HTTP.sys (Platform)
  • IIS (Platform)
  • Microsoft 365 Copilot (Platform)
  • Microsoft Edge (Platform)
  • Microsoft Entra ID (Platform)
  • Microsoft Graph (Platform)
  • Microsoft Office (Platform)
  • TPM (Platform)
  • Windows (Platform)
  • Windows 11 (Platform)
  • Windows Server 2022 (Platform)
  • Windows Server 2025 (Platform)
  • WinRE (Platform)
  • Word (Platform)
  • Bitskrieg (Vulnerability)
  • BlueHammer (Vulnerability)
  • GreenPlasma (Vulnerability)
  • Http/2 Bomb (Vulnerability)
  • HTTP.sys Denial Of Service Vulnerability (Vulnerability)
  • MiniPlasma (Vulnerability)
  • RedSun (Vulnerability)
  • UnDefend (Vulnerability)
  • Windows BitLocker Security Feature Bypass Vulnerability (Vulnerability)
  • Windows Collaborative Translation Framework (ctfmon) Elevation Of Privilege Vulnerability (Vulnerability)
  • YellowKey (Vulnerability)
  • YellowKey Vulnerability (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed