NEWS
Microsoft June 2026 Patch Tuesday Turns CVEs Into Triage
Microsoft June 2026 Patch Tuesday landed as a record-scale security drop, with public bugs, split CVE counts, and AI now part of disclosure pressure.
Microsoft June 2026 Patch Tuesday is a record-scale security drop, but the headline count depends on the rule being used. Public tallies from BleepingComputer, Windows 11 Forum and Absolute Security span different scopes, while all point back to the same June security release.
The work for security teams starts with that split. The release contains publicly disclosed flaws in Windows components, a high-scoring HTTP.sys remote code execution issue flagged by Absolute, and a public argument that AI is speeding the rate at which defects are found and shipped into monthly patch cycles.
The Count Split Starts at Scope
BleepingComputer limited its Patch Tuesday tally to security updates released by Microsoft on June 9. It said that count excluded flaws in Mariner, Azure HorizonDB, Copilot lines, Microsoft Exchange Online and Microsoft Graph that Microsoft fixed earlier in the month.
That is why the number changes when the scope changes. SecurityWeek described the Microsoft total as roughly 200 vulnerabilities, Windows 11 Forum listed a Microsoft CVE count from the release, and Absolute Security used a broader fixes count.
- 200 flaws: BleepingComputer’s count for security updates released by Microsoft on June 9.
- 206 Microsoft CVEs: Windows 11 Forum’s list for the June release.
- 211 fixes: Absolute Security’s count for the June drop.
- 360 Edge and Chromium flaws: BleepingComputer said these were excluded from its Patch Tuesday roundup.
ComputerWeekly said the release blasted past a previous record high of almost 170 common vulnerabilities and exposures set in October 2025. Absolute called June 2026 Patch Tuesday the largest ever.
Zero Days Arrived Without Known Exploitation
BleepingComputer and SecurityWeek both said the publicly disclosed bugs were not known to have been exploited in attacks at publication. SecurityWeek also said Microsoft assigned all three public issues an Exploitation More Likely assessment.
The three public vulnerabilities sit in different parts of the Windows estate. One is a local privilege issue, one is an HTTP.sys denial-of-service flaw, and one is a BitLocker security feature bypass.
| CVE | Component | Reported issue | Known status |
|---|---|---|---|
| CTFMON privilege escalation advisory | Windows Collaborative Translation Framework | Elevation of privilege that BleepingComputer said can grant SYSTEM privileges | Publicly disclosed and not known exploited |
| HTTP.sys denial of service advisory | HTTP.sys | HTTP/2 denial of service tied by BleepingComputer to HTTP/2 Bomb | Publicly disclosed and not known exploited |
| BitLocker security bypass advisory | Windows BitLocker | Security feature bypass that can allow access to encrypted data with physical access | Publicly disclosed and not known exploited |
The zero-day label in this release is a disclosure label. Microsoft Learn says a zero-day vulnerability is a software flaw for which no official patch or security update is available yet, and that the label is removed after a patch is released.
BleepingComputer said Microsoft credited CVE-2026-45586 to an anonymous researcher. It also reported that the flaw is a fix for GreenPlasma, a vulnerability it tied to the researcher known as Nightmare Eclipse.
HTTP.sys Got a New Registry Lever
The HTTP.sys denial-of-service item came with an extra administrative control. BleepingComputer reported that Microsoft introduced a registry setting to limit the number of headers accepted in HTTP/2 and HTTP/3 requests.
Microsoft’s MaxHeadersCount registry guidance says administrators can use MaxHeadersCount after installing a Windows update released on or after June 9, 2026. The same guidance says limiting HTTP headers can help protect systems and servers from excessive memory use, high CPU consumption and denial-of-service attacks.
The AI Explanation Cuts Both Ways
ComputerWeekly put the patch volume into an AI frame. Dustin Childs, head of threat awareness at TrendAI’s Zero Day Initiative, said June’s drop was a warning that AI is speeding flaw discovery at an uncontrollable scale.
We are in the Patch Apocalypse. The Patch Apocalypse is now.
Chris Goettl, vice president of security product management at Ivanti, said that to ComputerWeekly. He also said the new generation of large language models had accelerated significantly in the first half of 2026.
ComputerWeekly reported Goettl’s view that suppliers such as Oracle, Google Chrome and Mozilla have acknowledged the need to use AI tools in security research. Absolute also wrote that AI and developer tooling are becoming operational infrastructure because they interact with enterprise data, source code, cloud services, user identities and automation workflows.
The AI claim does not turn every published bug into an active intrusion. The reports fetched for this article put the public Windows issues in the publicly disclosed bucket, not the known exploited bucket.
Remote Code and Privilege Bugs Fill the Queue
BleepingComputer’s category breakdown gives patch teams the shape of the batch without requiring every CVE to be read first. Its count placed elevation of privilege and remote code execution at the top of the release.
- 65 elevation of privilege vulnerabilities
- 55 remote code execution vulnerabilities
- 30 information disclosure vulnerabilities
- 27 spoofing vulnerabilities
- 19 security feature bypass vulnerabilities
- 7 denial-of-service vulnerabilities
Absolute counted 54 remote code execution vulnerabilities and 66 elevation of privilege vulnerabilities. It singled out CVE-2026-47291, an HTTP.sys remote code execution vulnerability rated Critical with CVSS 9.8 and Exploitation More Likely.
Absolute also listed Office, SharePoint, Exchange, Remote Desktop, Active Directory Domain Services, Hyper-V, SQL Server, Visual Studio Code, Copilot and BitLocker among the areas touched by the release. BleepingComputer’s table also included Exchange, SharePoint, Office, Remote Desktop Client, Hyper-V, DHCP Client, Kerberos and Windows Kernel entries.
BitLocker Turns Patch Tuesday Into Desk Work
The BitLocker item is different from an internet-facing service bug. BleepingComputer reported that CVE-2026-50507 allowed local attackers to gain access to an encrypted drive, and SecurityWeek described it as a bypass that can allow an attacker with physical access to reach encrypted data.
BleepingComputer reported that CVE-2026-50507 is a fix for YellowKey, while SecurityWeek described the connection as possible. Readers following that earlier disclosure thread can read Oton’s related YellowKey BitLocker bypass coverage.
That puts the device team in the same Patch Tuesday queue as Windows networking and server owners. The same release that patches HTTP.sys also sends admins back to encrypted laptops, recovery behavior and physical access controls.
Patch Order Follows Exposure
Absolute’s practical advice was to prioritize exploitation likelihood, attack chain potential, business exposure and critical systems such as Active Directory, Exchange and Remote Desktop. That advice fits a release where the published count changes by scope but the exposed products remain familiar.
- Start with the publicly disclosed Windows issues and any item marked Exploitation More Likely.
- Review HTTP.sys systems and the MaxHeadersCount option after the June Windows update is installed.
- Move remote code execution and elevation of privilege bugs into the first patch waves where exposed systems are present.
- Check BitLocker and related device recovery workflows where physical access risk is part of the environment.
Microsoft’s June security update release notes remain the common reference page for the release. Different trackers published different counts, but the patch queue starts from the same dated Microsoft drop.
NHS Cyber Attack Warning Says Risk Now Tops Pandemic
Taliban Smartphone Ban Exposes the WhatsApp Problem
Galaxy Z Flip 8 Satellite FCC Filing Leaves Out UWB
Apple and Met Police Sign Deal to Render Stolen iPhones Useless
Delhi High Court Orders Takedown of Posts Linking Amul to Cow Meat
Kingdom Hearts 4 Teaser Returns as Collection Gets October 8 Date
The $6.3 Billion Business of Media Monitoring, Explained
Vivo X500 Specs Leak Reveals 7,500mAh Battery, Four-Model Lineup
Met Police Push for Law to Make Stolen Phones Unusable
YESHOMY Modern TV Stand: 58 Inches Wide for a 65-Inch TV
Andreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
Cathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
Ghana CSA Plants Office In Ho As Volta Cybercrime Climbs
Apple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
Anthropic Hits $965 Billion Valuation, Edges Past OpenAI
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
Hormuud Bets $19 Down Will Finally Pull Somalia Online
Trump’s AI Memo Strips Vendors of Veto Power Over Military
Metalenz Polar ID Hides Face Unlock Under OLED Smartphone Screens
Apple Turns Accessibility AI Into an Operating System Test
-
CRYPTO1 month agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
CRYPTO1 month agoCathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
-
NEWS1 month agoGhana CSA Plants Office In Ho As Volta Cybercrime Climbs
-
NEWS1 month agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
AI2 weeks agoAnthropic Hits $965 Billion Valuation, Edges Past OpenAI
-
APPS1 month ago
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
-
NEWS1 month agoHormuud Bets $19 Down Will Finally Pull Somalia Online
-
AI6 days agoTrump’s AI Memo Strips Vendors of Veto Power Over Military