Microsoft has released its June 2026 Patch Tuesday security updates. The company fixed 200 security flaws across its software, including 33 vulnerabilities rated as critical. The update addresses six zero-day vulnerabilities, five of which were publicly disclosed and one that attackers are actively exploiting in the wild.
The actively exploited vulnerability is CVE-2026-42897, a spoofing flaw in Microsoft Exchange Server. Attackers can exploit this bug by sending a specially crafted email that executes bad JavaScript in a user’s browser if they open the email in Outlook Web Access. Meanwhile, Microsoft also patched CVE-2026-45586, a privilege escalation flaw in the Windows Collaborative Translation Framework. Known as “GreenPlasma,” this vulnerability allowed local attackers to obtain full SYSTEM permissions on a target computer.
Also read: Microsoft Confirms Reset This PC Not Working in Latest Windows 11 Updates
Two BitLocker security bypass flaws, known as “YellowKey” (CVE-2026-45585) and “bitskrieg” (CVE-2026-50507), were also resolved. These flaws allowed anyone with physical access to a computer to bypass device encryption and view protected files. However, the security fix for the “bitskrieg” flaw has a known issue. According to security analysts, installing the patch might cause Windows devices to show an error stating that the BitLocker key could not load correctly. Affected users can fix this issue by turning the Windows Recovery Environment (WinRE) off and on using CMD command lines.
Another zero-day fix addresses CVE-2026-49160, a denial-of-service vulnerability called the “HTTP/2 Bomb.” The flaw allowed attackers to crash servers by sending very small amounts of data that forced the server to consume large amounts of memory. To help prevent this, Microsoft added a new registry setting called MaxHeadersCount to limit headers in network requests. This update comes shortly after Microsoft released an emergency Windows 11 update to fix issues from previous patches.
Microsoft also patched a zero-day in the Cloud Files Mini Filter Driver (CVE-2020-17103) that was originally reported in 2020 but remained exploitable. This month’s updates do not include Edge or Copilot fixes, which Microsoft resolved earlier. The table below lists the number of flaws patched in each vulnerability category.
June 2026 Vulnerability Breakdown
| Vulnerability Category | Number of Flaws Patched |
|---|---|
| Elevation of Privilege | 65 |
| Security Feature Bypass | 19 |
| Remote Code Execution | 55 |
| Information Disclosure | 30 |
| Denial of Service | 7 |
| Spoofing | 27 |
Security updates are available now through Windows Update, and administrators should apply them quickly to protect their networks.
