Microsoft's record June Patch Tuesday fixes 200 flaws, including 3 publicly disclosed zero-days
Microsoft released its June 2026 Patch Tuesday updates on June 9, fixing 200 vulnerabilities in what BleepingComputer described as the largest single Patch Tuesday release in the program's history.
At a glance
- Microsoft fixed 200 vulnerabilities in the June 2026 Patch Tuesday released June 9, 2026, the largest in the program's history
- Three publicly disclosed zero-days patched: CVE-2026-45586 (Windows CTFMON EoP), CVE-2026-49160 (HTTP.sys DoS, 'HTTP/2 Bomb'), CVE-2026-50507 (BitLocker bypass, 'YellowKey'); none known exploited
- 33 Critical-rated flaws: 28 remote code execution, 4 elevation of privilege, 1 information disclosure
- Category breakdown: 65 EoP, 55 RCE, 30 information disclosure, 27 spoofing, 19 security feature bypass, 7 DoS
- Help Net Security reported a same-day PoC for an unpatched Windows Defender privilege-escalation race condition dubbed RoguePlanet, released by 'Nightmare Eclipse'
VERDICT — CONFIRMED
Microsoft released its June 2026 Patch Tuesday updates on June 9, fixing 200 vulnerabilities in what BleepingComputer described as the largest single Patch Tuesday release in the program's history. The batch includes 33 Critical-rated flaws — 28 remote code execution, four elevation of privilege and one information disclosure — and three publicly disclosed zero-days, none known to be exploited in attacks.
The zero-days are CVE-2026-45586, a Windows CTFMON elevation-of-privilege bug stemming from improper link resolution before file access; CVE-2026-49160, an HTTP.sys denial-of-service flaw dubbed 'HTTP/2 Bomb' that lets unauthenticated attackers exhaust resources over a network; and CVE-2026-50507, a BitLocker security-feature bypass nicknamed 'YellowKey' that allows an attacker with physical access to defeat full-disk encryption via the Windows Recovery Environment. By category, the release counts 65 elevation-of-privilege, 55 remote code execution, 30 information disclosure, 27 spoofing, 19 security-feature-bypass and 7 denial-of-service issues; outlet tallies range from 198 to 206 CVEs depending on counting method.
Help Net Security additionally flagged a same-day proof-of-concept dubbed RoguePlanet — a Windows Defender race condition enabling SYSTEM-level command shells — released by an actor calling itself 'Nightmare Eclipse,' with remote exploitation reportedly blocked by May's patches.
Why it matters
a record-size patch load carrying three public zero-days compresses enterprise testing windows and hands attackers an unusually large diff surface to reverse-engineer into n-day exploits.
Key facts on file
- Microsoft fixed 200 vulnerabilities in the June 2026 Patch Tuesday released June 9, 2026, the largest in the program's history
- Three publicly disclosed zero-days patched: CVE-2026-45586 (Windows CTFMON EoP), CVE-2026-49160 (HTTP.sys DoS, 'HTTP/2 Bomb'), CVE-2026-50507 (BitLocker bypass, 'YellowKey'); none known exploited
- 33 Critical-rated flaws: 28 remote code execution, 4 elevation of privilege, 1 information disclosure
- Category breakdown: 65 EoP, 55 RCE, 30 information disclosure, 27 spoofing, 19 security feature bypass, 7 DoS
- Help Net Security reported a same-day PoC for an unpatched Windows Defender privilege-escalation race condition dubbed RoguePlanet, released by 'Nightmare Eclipse'

