Microsoft has released its June 2026 Patch Tuesday security updates, fixing 200 vulnerabilities across Windows, Office, Azure, Hyper-V, Remote Desktop, Visual Studio Code, SharePoint, Exchange Server, and other products.
This month’s update includes patches for 33 critical vulnerabilities. Microsoft said 28 of them are remote code execution flaws, four are elevation of privilege issues, and one is an information disclosure vulnerability.
The update also fixes three publicly disclosed zero-day vulnerabilities. Microsoft said none of these flaws are currently known to have been exploited in attacks.
The full list of fixed bugs includes 65 elevation of privilege vulnerabilities, 55 remote code execution vulnerabilities, 30 information disclosure flaws, 27 spoofing vulnerabilities, 19 security feature bypass issues, and seven denial of service bugs.
One of the publicly disclosed zero-days is CVE-2026-45586, a Windows Collaborative Translation Framework vulnerability. Microsoft says the flaw is caused by improper link resolution before file access and could allow a local attacker to gain higher privileges on a vulnerable system.
The flaw is linked to a vulnerability known as GreenPlasma, which was publicly disclosed by security researcher Nightmare Eclipse. According to the report, the issue could be used to obtain a shell with SYSTEM permissions.
Microsoft also fixed CVE-2026-49160, an HTTP.sys denial of service vulnerability known as HTTP/2 Bomb. The flaw abuses the way HTTP/2 handles compressed web traffic headers, allowing attackers to send small amounts of data that force affected servers to consume much larger amounts of memory.
Researchers said the attack could cause affected servers to use excessive memory and potentially lead to performance problems or outages. To help reduce the risk, Microsoft introduced a new MaxHeadersCount registry setting that allows administrators to limit the number of headers accepted in HTTP/2 and HTTP/3 requests.
The third publicly disclosed zero-day is CVE-2026-50507, a Windows BitLocker security feature bypass vulnerability. Microsoft said the flaw could allow a local attacker with physical access to bypass BitLocker protection and access an encrypted drive.
The issue is linked to a vulnerability called YellowKey. According to the report, it could be triggered by placing specially crafted files on a USB drive or EFI partition and booting into the Windows Recovery Environment. The flaw mainly affects systems using TPM-only BitLocker protection on Windows 11 and Windows Server 2022 or 2025.
Microsoft had previously shared temporary mitigations for this issue, including using TPM with a PIN instead of relying only on TPM-based protection.
The June 2026 update also includes several critical remote code execution vulnerabilities affecting Microsoft Office, Remote Desktop Client, Windows Hyper-V, Windows Kerberos, Windows DHCP Client, Windows Deployment Services, Windows Kernel, Windows Media, and other components.
Office received multiple important and critical fixes, including remote code execution vulnerabilities in Microsoft Office, Word, Outlook, and Excel. SharePoint Server also received a large number of patches, mostly for spoofing issues, along with remote code execution fixes.
Remote Desktop Client was another major focus this month, with several critical remote code execution vulnerabilities fixed. Microsoft also patched critical flaws in Windows Hyper-V, HTTP.sys, Windows Kerberos, Windows Cryptographic Services, and Windows Graphics components.
Alongside Microsoft’s Patch Tuesday release, several other major vendors also issued security updates recently, including Adobe, Cisco, Fortinet, Google, Ivanti, SAP, Ubiquiti, and Veeam. Google also released Android security updates and patched a Chrome zero-day that had been exploited in attacks.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Microsoft users and administrators are advised to install the June 2026 security updates as soon as possible, especially on systems running Windows Server, Remote Desktop services, Microsoft Office, SharePoint, Exchange Server, and other business-critical products.
