June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)

Microsoft released its June 2026 Patch Tuesday security updates, resolving a total of 206 vulnerabilities across Windows and a wide range of Microsoft products and components. This month’s release includes three publicly disclosed zero-day vulnerabilities, one of which is linked to the HTTP/2 Bomb exploit.

Elevation of Privilege and Remote Code Execution (RCE) vulnerabilities dominate the release this month in unusually close numbers, together accounting for well over half of all patches. Information Disclosure and Spoofing follow – with Spoofing notably elevated this month, driven largely by a cluster of Microsoft SharePoint Server entries. Security Feature Bypass spans Secure Boot, BitLocker, and various other components, with Denial of Service (DoS) and Tampering rounding out the release.

Zero-Day Vulnerabilities Addressed in June 2026 Patch Tuesday

Three publicly disclosed vulnerabilities are addressed in this month’s release. All three carry a Microsoft assessment of Exploitation More Likely.

CVE-2026-49160

CVE-2026-49160 (CVSS 7.5) is a Denial of Service vulnerability in the Windows HTTP.sys kernel-mode listener, the same shared HTTP stack component that many server roles and applications depend on

The flaw is linked to the HTTP/2 Bomb technique – a class of attack where a small, crafted HTTP/2 request causes the server to expand and process a disproportionately large amount of data, exhausting resources and triggering a denial of service.

A remote unauthenticated attacker can trigger CVE-2026-49160 by sending crafted HTTP traffic, with no user interaction required. Moreover, because it sits in a shared Windows component rather than a single application, a successful exploit can destabilize multiple services on the same host simultaneously.

CVE-2026-45586

CVE-2026-45586 (CVSS 7.8) is a local Elevation of Privilege vulnerability in the Windows Collaborative Translation Framework, which is the CTFMON service that manages text input and language services across Windows. An authenticated attacker with local access can exploit it to elevate to SYSTEM-level privileges.

Like most EoP flaws, its practical danger lies in how readily it slots into multi-stage attack chains: an attacker with initial low-privileged access can use this to achieve full system compromise via phishing, a web exploit, or a malicious document. Microsoft flagged it as Exploitation More Likely, and the fact that it was publicly disclosed before the patch gives threat actors a meaningful head start.

CVE-2026-50507

CVE-2026-50507 (CVSS 6.8) is a Security Feature Bypass in BitLocker, the Windows full-disk encryption layer. Notably, its CVSS vector includes E:P (Exploit code: Proof of Concept), meaning functional exploit code is already publicly available.

The vulnerability requires physical access to the target device, but that is precisely the scenario BitLocker is designed to defend against. A successful exploit bypasses disk encryption protections, creating meaningful risk for lost or stolen enterprise devices and physical-access attack scenarios such as evil maid attacks.

Organizations relying on BitLocker as a data-at-rest protection control should treat this as an urgent endpoint patch, particularly for devices that travel outside controlled environments.

Cut Through Patch Noise With SOCRadar XTI

For defenders, the hardest part of Patch Tuesday is rarely finding the updates. It is knowing which vulnerabilities create the most immediate risk in their own environment.

SOCRadar Cyber Threat Intelligence helps teams follow exploitation developments, patch intelligence, and broader vulnerability trends, while Attack Surface Management (ASM) adds visibility into exposed systems that may raise the urgency of response. Together, they support faster and more informed prioritization during high-volume patch cycles.

Critical Vulnerabilities in June 2026 Patch Tuesday

The following vulnerabilities carry a CVSS base score of 9.0 or above:

• CVE-2026-48567 (CVSS 10.0) – Azure HorizonDB Elevation of Privilege Vulnerability (no customer action required)
• CVE-2026-26142 (CVSS 9.8) – Nuance PowerScribe Remote Code Execution Vulnerability
• CVE-2026-44815 (CVSS 9.8) – Windows DHCP Client Remote Code Execution Vulnerability
• CVE-2026-45657 (CVSS 9.8) – Windows Kernel Remote Code Execution Vulnerability
• CVE-2026-47291 (CVSS 9.8) – Windows HTTP.sys Remote Code Execution Vulnerability (mitigation available)
• CVE-2026-47643 (CVSS 9.8) – Azure Stack Edge Remote Code Execution Vulnerability
• CVE-2026-42904 (CVSS 9.6) – Windows TCP/IP Elevation of Privilege Vulnerability
• CVE-2026-47281 (CVSS 9.6) – Visual Studio Code Elevation of Privilege Vulnerability
• CVE-2026-45602 (CVSS 9.1) – Windows DHCP Tampering Vulnerability
• CVE-2026-48579 (CVSS 9.1) – Microsoft Exchange Online Information Disclosure Vulnerability (no customer action required)

A Perfect 10.0 in Azure HorizonDB

The highest score in this month’s advisory is a 10.0, belonging to CVE-2026-48567 in Azure HorizonDB. Microsoft has marked it as requiring no customer action. Despite the service-side fix, the flaw carries a scope change, meaning an attacker could affect systems beyond the directly vulnerable component. Organizations using Azure HorizonDB should monitor for any supplemental guidance and verify service health post-update.

Second Threat in the HTTP.sys Stack

Separate from the zero-day CVE-2026-49160, CVE-2026-47291 is an unauthenticated network-accessible RCE in Windows HTTP.sys rated Exploitation More Likely, and the only vulnerability this month for which Microsoft has published a mitigation. Together, the two HTTP.sys vulnerabilities expose internet-facing Windows HTTP infrastructure to both an RCE and a DoS in the same stack; treat them as a single patching priority block.

The remaining 9.0+ entries span a wide surface. CVE-2026-44815 (DHCP Client RCE, 9.8) and CVE-2026-45602 (DHCP Tampering, 9.1) are both unauthenticated and require no user interaction. CVE-2026-45657 (Windows Kernel RCE, 9.8) is a rare fully unauthenticated network-accessible RCE against the kernel itself. CVE-2026-47281 (VS Code, 9.6) and CVE-2026-42904 (Windows TCP/IP, 9.6) both carry scope change, relevant to developer fleets and segmented networks respectively.

High-Risk Vulnerabilities to Watch in June 2026 Patch Tuesday

Beyond the Critical-rated vulnerabilities, Microsoft assessed the following as Exploitation More Likely, signaling an elevated probability of near-term weaponization:

• CVE-2026-42905 (CVSS 7.8) – Windows DWM Core Library Elevation of Privilege Vulnerability
• CVE-2026-42980 (CVSS 7.8) – Windows NT OS Kernel Elevation of Privilege Vulnerability
• CVE-2026-42985 (CVSS 8.8) – Remote Desktop Client Remote Code Execution Vulnerability
• CVE-2026-42986 (CVSS 7.8) – Microsoft Graphics Component Elevation of Privilege Vulnerability
• CVE-2026-42989 (CVSS 7.8) – Winlogon Elevation of Privilege Vulnerability
• CVE-2026-44803 (CVSS 7.8) – Windows Win32K – GRFX Elevation of Privilege Vulnerability
• CVE-2026-44812 (CVSS 7.8) – Windows Win32K – GRFX Elevation of Privilege Vulnerability
• CVE-2026-45481 (CVSS 7.3) – Microsoft SharePoint Server Spoofing Vulnerability
• CVE-2026-45586 (CVSS 7.8) – Windows Collaborative Translation Framework Elevation of Privilege Vulnerability (zero-day)
• CVE-2026-45658 (CVSS 7.8) – Windows BitLocker Security Feature Bypass Vulnerability
• CVE-2026-47291 (CVSS 9.8) – Windows HTTP.sys Remote Code Execution Vulnerability (mitigation available)
• CVE-2026-47634 (CVSS 7.3) – Microsoft SharePoint Server Spoofing Vulnerability
• CVE-2026-49160 (CVSS 7.5) – HTTP.sys Denial of Service Vulnerability (zero-day)
• CVE-2026-50507 (CVSS 6.8) – Windows BitLocker Security Feature Bypass Vulnerability (zero-day, PoC available)
• CVE-2026-50508 (CVSS 6.5) – Windows NTLM Spoofing Vulnerability

The list is dominated by local Elevation of Privilege vulnerabilities – DWM Core Library, Win32K, Winlogon, Windows NT OS Kernel, and the Graphics Component are all frequent fixtures in post-exploitation chains. The CVE-2026-50508 NTLM Spoofing vulnerability stands out despite its lower CVSS score: it is network-accessible, requires no authentication, and needs only user interaction (such as opening a file or visiting a page) to capture an NTLM hash. In environments where NTLM is still in use, a stolen hash enables pass-the-hash attacks or offline cracking, making practical impact significantly higher than the score suggests. Two SharePoint Spoofing entries (…-45481 and …-47634) are also flagged, adding to an already heavy SharePoint patch load this month, where a large cluster of spoofing CVEs already dominates the component’s entries.

Apply Microsoft’s Security Updates for June 2026

June’s release is unusually large by most measures. Systems affected by these vulnerabilities should be patched without delay, with priority given to:

• Windows hosts processing HTTP/HTTPS traffic, facing both the RCE in HTTP.sys (CVE-2026-47291, CVSS 9.8 – apply the available mitigation if patching is delayed) and the DoS in HTTP.sys (CVE-2026-49160)
• DHCP infrastructure, where the unauthenticated DHCP Client RCE (CVE-2026-44815, CVSS 9.8) and DHCP Tampering vulnerability (CVE-2026-45602, CVSS 9.1) both require no credentials and no user interaction to exploit
• Windows Kernel deployments, affected by the rare unauthenticated network-accessible RCE in CVE-2026-45657 (CVSS 9.8)
• BitLocker-protected endpoints, particularly those leaving controlled environments, due to the publicly disclosed PoC-backed bypass CVE-2026-50507
• Exchange Server environments, noting that CVE-2026-45583 (Exchange Server RCE) is not remediated by the June Security Update alone and requires following the CVE-specific documentation instructions – environments tracking only “SU installed” status will miss this
• Windows Server 2022 Datacenter: Azure Edition, where the June update ships as a baseline (non-hotpatch) update due to CVE-2026-45585, meaning a reboot is required – plan maintenance windows accordingly
• Domain and identity infrastructure, affected by the NTLM Spoofing CVE-2026-50508 and Active Directory RCE CVE-2026-45648 (CVSS 8.8)
• SharePoint Server environments, which face a significant cluster of patches this month including two Exploitation More Likely Spoofing entries and an 8.8-scored RCE
• Endpoints and servers running DWM Core Library, Win32K, Winlogon, and NT OS Kernel components flagged as Exploitation More Likely

See Microsoft’s June 2026 release notes for the full details of patched CVEs.