top of page

Microsoft Patch Tuesday: 206 Vulnerabilities Patched Including Zero-Days and Critical RCE Exploits

  • Jun 10
  • 3 min read

Key Findings


  • Microsoft released 206 security patches in June 2026, a record number including 39 Critical and 167 Important severity flaws

  • Three vulnerabilities were publicly disclosed at the time of release, including two BitLocker bypasses and an HTTP.sys denial-of-service flaw

  • Patch set includes 56 remote code execution vulnerabilities, 63 privilege escalation flaws, and multiple critical kernel issues

  • Three highest severity flaws all carry a CVSS score of 9.8 and enable unauthenticated network-based code execution

  • DHCP Client and HTTP.sys vulnerabilities represent particularly severe threats due to their foundational role in network operations


Background


This month's patch cycle marks an unprecedented scale of vulnerability remediation from Microsoft. The 206 fixes span the company's entire software portfolio and represent a significant security response. Beyond Microsoft's own code, the patches also address two non-Microsoft CVEs affecting Windows Kernel and UEFI Secure Boot, plus over 350 Chromium flaws used in Microsoft Edge. The sheer volume reflects either aggressive vulnerability disclosure or a concentrated period of security research uncovering systemic issues across critical systems.


Critical Remote Code Execution Threats


The three most severe vulnerabilities all achieve a CVSS score of 9.8 and require no authentication or user interaction. CVE-2026-45657 affects the Windows Kernel through a use-after-free flaw in TCP/IP processing. An attacker sends specially crafted network packets that trigger improper kernel memory handling, allowing execution with system-level privileges. CVE-2026-47291 represents an integer overflow in Windows HTTP.sys that enables unauthorized network-based code execution. CVE-2026-44815 is a stack-based buffer overflow in the Windows DHCP Client, allowing attackers to compromise systems through malicious network traffic sent to DHCP-configured machines.


The DHCP vulnerability poses particular risk since DHCP is a fundamental network service. Successful exploitation could lead to server compromise, malware deployment, data theft, and lateral network movement. Systems handling DHCP traffic represent high-priority patch targets.


Publicly Disclosed Zero-Day Vulnerabilities


Three zero-days were publicly disclosed prior to this patch release. CVE-2026-49160 is an HTTP.sys denial-of-service vulnerability related to HTTP2/Bomb, an attack technique capable of exhausting server resources rapidly. Testing demonstrated an IIS server losing 64 GB of RAM in approximately 45 seconds. Microsoft introduced a new MaxHeadersCount registry setting to limit HTTP headers and mitigate such attacks. CVE-2026-45586 is a privilege escalation flaw in Windows Collaborative Translation Framework (CTFMON) believed to address a zero-day exploit called GreenPlasma. CVE-2026-50507 fixes a BitLocker bypass dubbed bitskrieg that grants full access to encrypted data on systems with physical access.


BitLocker Security Feature Bypasses


Microsoft addressed multiple BitLocker Device Encryption bypasses requiring physical access to target systems. Beyond CVE-2026-50507, the updates include CVE-2026-45585, CVE-2026-45655, and CVE-2026-45658. Security researcher Chaotic Eclipse released a proof-of-concept exploit called YellowKey for CVE-2026-45585 last month. These vulnerabilities allow attackers with physical device access to bypass BitLocker encryption and access encrypted data. The fixes also address MiniPlasma, a previously incomplete fix for CVE-2020-17103 originally patched in December 2020.


Broader Vulnerability Distribution


Beyond the critical remote code execution flaws, the patch set addresses significant depth across vulnerability categories. The 206 total flaws break down into 63 privilege escalation vulnerabilities, 56 remote code execution issues, 30 information disclosure flaws, 27 spoofing vulnerabilities, 20 security feature bypasses, seven denial-of-service flaws, and three tampering vulnerabilities. Multiple heap-based buffer overflows compromise the Microsoft Office suite, Outlook, Word, and Windows Hyper-V deployments. Remote Desktop Client also contains heap-based buffer overflow flaws exploitable over networks.


Sources


  • https://thehackernews.com/2026/06/microsoft-patches-record-206-flaws.html

  • https://securityonline.info/microsoft-patch-tuesday-fixes/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page