The June 2026 Patch Tuesday was record-breaking in scope: Microsoft addressed 206 vulnerabilities in its products, 39 of which were rated Critical and 167 Important. Among the fixes are three publicly disclosed zero-day vulnerabilities (CVE-2026-50507, CVE-2026-49160, CVE-2026-45586) and three critical remote code execution issues with a maximum CVSS score of 9.8 that require neither authentication nor user interaction. Windows infrastructure administrators need to prioritize deploying the updates, especially on systems running DHCP services, IIS web servers, and domain controllers.
Critical remote code execution vulnerabilities
The most severe vulnerability in this release is CVE-2026-45657 (CVSS 9.8), a use-after-free bug in the Windows kernel. An attacker can send specially crafted network traffic to a vulnerable system, exploiting improper TCP/IP data handling in the kernel. Successful exploitation results in arbitrary code execution with SYSTEM privileges, without requiring authentication or any user interaction.
Two other critical vulnerabilities affect key Windows networking components:
- CVE-2026-47291 (CVSS 9.8) — an integer overflow in Windows HTTP.sys that allows an unauthenticated attacker to execute code remotely over the network.
- CVE-2026-44815 (CVSS 9.8) — a stack-based buffer overflow in the Windows DHCP Client, also leading to remote code execution without authentication.
The vulnerability in the DHCP client warrants particular attention: according to Action1 analysts, exploiting it does not require credentials or user actions — it is enough to send specially crafted network traffic to a system that uses DHCP services. Because DHCP is a fundamental network function, successful exploitation can result in server compromise, malware deployment, data theft, and lateral movement within the network.
Three publicly disclosed zero-day vulnerabilities
Microsoft has confirmed that three vulnerabilities were publicly disclosed before the patches were released:
- CVE-2026-50507 (CVSS 6.8) — a BitLocker Device Encryption protection bypass. According to researcher Will Dormann, this vulnerability is presumably related to an encryption bypass technique known in the community as bitskrieg, which allows an attacker to gain full access to encrypted data. Exploitation requires physical access to the device.
- CVE-2026-49160 (CVSS 7.5) — a denial-of-service vulnerability in HTTP.sys, related to the HTTP2/Bomb attack technique. According to researchers from Calif, during testing an IIS server consumed 64 GB of RAM in about 45 seconds.
- CVE-2026-45586 (CVSS 7.8) — an elevation of privilege vulnerability in the Windows Collaborative Translation Framework (CTFMON).
It is important to emphasize that none of these vulnerabilities is currently listed in the CISA KEV catalog, and Microsoft does not report any confirmed exploitation in real-world attacks. However, the availability of public PoC exploits significantly increases the likelihood that attackers will abuse them in the near future.
BitLocker bypasses and new mitigation for HTTP/2
In addition to CVE-2026-50507, Microsoft has fixed several other protection bypass vulnerabilities related to BitLocker:
- CVE-2026-45585 (CVSS 6.8) — a BitLocker bypass for which a public PoC exploit exists.
- CVE-2026-45658 (CVSS 7.8) and CVE-2026-45655 (CVSS 5.3) — additional BitLocker encryption bypasses.
All BitLocker vulnerabilities require physical access to the target device, which limits the pool of potential attackers but makes them critically important for organizations handling sensitive data on mobile devices.
To counter HTTP2/Bomb-style attacks, Microsoft has introduced a new registry parameter, MaxHeadersCount, which limits the number of headers in HTTP/2 and HTTP/3 requests. This helps protect servers from excessive consumption of memory and CPU resources.
Fixing the six-year-old MiniPlasma vulnerability
The update for CVE-2020-17103 deserves special mention — a vulnerability originally patched in December 2020. Microsoft acknowledged that the previous patch was incomplete and recommended installing the June 2026 updates to fully remediate the issue, publicly known as MiniPlasma.
Overall picture: breakdown by type
Of the 206 vulnerabilities, the breakdown by type is as follows: 63 elevation of privilege, 56 remote code execution, 30 information disclosure, 27 spoofing, 20 security feature bypass, 7 denial of service, and 3 tampering. Additionally, the release includes two CVEs for third-party components: CVE-2025-10263 (elevation of privilege in the Windows kernel) and CVE-2026-8863 (UEFI Secure Boot bypass).
Prioritization recommendations
Given the volume and criticality of this release, the following order of actions is recommended:
- Immediately — patch systems that process DHCP traffic, IIS web servers, and network-exposed systems to remediate CVE-2026-45657, CVE-2026-47291, and CVE-2026-44815 (all CVSS 9.8).
- Within 24–48 hours — apply updates for the publicly disclosed zero-days: CVE-2026-50507, CVE-2026-49160, and CVE-2026-45586, for which PoC exploits are available.
- For IIS servers — configure the MaxHeadersCount registry parameter to limit HTTP/2 and HTTP/3 headers as an additional protection measure against attacks on HTTP.sys.
- For mobile devices — update systems using BitLocker to eliminate encryption bypasses, especially on laptops used by remote employees.
- Ensure that the update for CVE-2020-17103 (MiniPlasma) is installed, even if the previous 2020 patch had already been applied.
The record-breaking scope of the June Patch Tuesday — 206 vulnerabilities, three of which have already been publicly disclosed with available PoC exploits — requires security teams to accelerate their testing and deployment cycles. The three vulnerabilities with CVSS 9.8 that can be exploited via network traffic without authentication pose a real risk of mass compromise for organizations that delay patching. Start with the networking components — the Windows kernel, HTTP.sys, and the DHCP client — and configure the MaxHeadersCount parameter on all IIS servers before completing the full update cycle.
