System administrators are in for a busy few weeks after Microsoft published updates to fix 200 vulnerabilities including three publicly disclosed zero-days June’s Patch Tuesday.
A total of 33 critical CVEs were tackled, with most (28) remote code execution (RCE) bugs.
One of the most noteworthy zero-days is CVE-2026-49160, also known as “HTTP/2 Bomb.”
It’s a denial of service (DoS) vulnerability discovered by AI-powered research tools which could allow an attacker with a single home computer to take down web servers in as little as 20 seconds.
“Every so often, a new round of denial-of-service vulnerabilities emerge which affect web servers implementing HTTP/2 and HTTP/3 standards,” explained Rapid7 principal software engineer, Adam Barnett.
“This class of vulnerabilities is likely to expand further as researchers, including the discoverers of CVE-2026-49160, use advances in LLM capability to probe not just specific software, but also the standards on which software rests.”
Read more on Patch Tuesday: Microsoft Fixes 17 Critical Flaws in May Patch Tuesday
The second zero-day fixed is CVE-2026-50507, a Windows BitLocker security feature bypass vulnerability.
Jack Bicer, director of vulnerability research at Action1, said the bug could allow an attacker with physical access to a vulnerable system to bypass a key security feature and gain access to encrypted data stored on the device.
“A successful bypass undermines this security control and can expose confidential business information, customer data, intellectual property, financial records, and regulated data,” he added.
“In environments where endpoint encryption is a compliance requirement, exploitation could result in regulatory exposure, breach notification obligations, reputational damage, and financial losses.”
The third zero day is an elevation of privilege (EoP) flaw in Windows Collaborative Translation Framework (CTFMON).
CVE-2026-45586 is caused by “link following” and could allow a local authenticated attacker to gain system privileges, Action1 co-founder Alex Vovk warned.
“A low-privilege foothold can become full system control when Windows follows the wrong link at the wrong time,” he added.
“System access can allow malware installation, defense evasion, credential theft, data modification, and deeper movement across the environment. For businesses, this can increase the impact of phishing, stolen credentials, or compromised standard user accounts.”
Patches to Prioritize
Overall, EoP vulnerabilities were most commonplace this month, accounting for 65 CVEs. RCE bugs (55), information disclosure (30), spoofing (27), and security feature bypass vulnerabilities (19) rounded out the top five.
Other CVEs to prioritize this month include:
- CVE-2026-44812: an RCE flaw in Windows Graphics Component (Win32K-GRFX) that can allow an attacker to execute arbitrary code on a target system
- CVE-2026-42985: an RCE bug in the Remote Desktop Client which could provide attackers with access to sensitive corporate systems
- CVE-2026-44815: a critical flaw in the Windows DHCP Client caused by a stack-based buffer overflow, which could turn network traffic into a full system compromise
- CVE-2026-47652: an RCE vulnerability in Windows Hyper-V which could lead to unauthorized code execution, compromise of sensitive workloads, and disruption of hosted services
