Microsoft patches 206 vulnerabilities, three public zero-days

Microsoft released its June 2026 Patch Tuesday updates on Tuesday, fixing 206 vulnerabilities across Windows and other products. Of the issues, 39 were rated Critical and 167 were rated Important. The package includes three publicly disclosed zero-day flaws and two CVEs that did not originate with Microsoft: a Windows Kernel privilege escalation (CVE-2025-10263) and a UEFI Secure Boot bypass (CVE-2026-8863). Microsoft also incorporated more than 350 Chromium fixes used in its Edge browser.

The most severe item is CVE-2026-45657, a Windows Kernel use-after-free vulnerability assigned a CVSS score of 9.8. Microsoft described a scenario in which specially crafted network packets trigger how the kernel processes certain TCP/IP data, potentially allowing remote code execution with system-level privileges without user interaction. Two other network-facing bugs also scored 9.8: CVE-2026-47291, an integer overflow in HTTP.sys, and CVE-2026-44815, a stack-based buffer overflow in the Windows DHCP Client. Alex Vovk, CEO and co-founder of Action1, warned that “This flaw needs no credentials or user action and can turn network traffic into a full system compromise,” urging that systems handling DHCP traffic be prioritized for patching.

Microsoft addressed several BitLocker bypasses, including CVE-2026-45585, for which a proof-of-concept called YellowKey was published last month, plus CVE-2026-45655, CVE-2026-45658 and CVE-2026-50507. Microsoft advised that an attacker with physical access could exploit these issues to gain access to encrypted storage. Security researcher Will Dormann assessed CVE-2026-50507 as a fix for a bypass known as bitskrieg that can grant full access to encrypted data.

Three publicly disclosed zero-days are included in the release: CVE-2026-45586, a privilege escalation in the Collaborative Translation Framework; CVE-2026-49160, an HTTP.sys denial-of-service vulnerability tied to an HTTP/2 Bomb technique; and CVE-2026-50507. Tests showed an IIS server exhausting 64 GB of RAM in about 45 seconds under the HTTP/2 attack. To limit excessive memory and CPU use, Microsoft added a new MaxHeadersCount registry setting that caps the number of headers in HTTP/2 and HTTP/3 requests.

Researcher Chaotic Eclipse published proof-of-concept exploits tied to several of the patched issues. The researcher released PoCs under names including GreenPlasma and MiniPlasma, the latter described as an incomplete fix for CVE-2020-17103. Chaotic Eclipse also published a PoC called RoguePlanet for a Microsoft Defender race-condition bug that can spawn a SYSTEM-level command prompt.

Security firms attributed the increase in reported vulnerabilities to AI-assisted discovery techniques. Satnam Narang of Tenable noted that more advanced AI models are likely increasing the number of reported flaws. Dustin Childs of Trend Micro’s Zero Day Initiative described the volume as extraordinary and questioned whether the rapid pace of disclosures could affect the quality of testing and patches.

Microsoft recommended that organizations install the June updates promptly, especially on systems exposed to network traffic, DHCP services or devices that store encrypted data. The company continues to publish advisories, mitigation guidance and registry settings alongside the patches.