The Microsoft June 2026 Patch Tuesday release addresses a total of 200 flaws, including 33 “Critical” vulnerabilities. Most notably, this patch cycle mitigates three publicly disclosed zero-day vulnerabilities. While none of these zero-days are confirmed to have been actively exploited in the wild at the time of reporting, their public disclosure and the availability of proof-of-concept (PoC) details elevate the risk of exploitation for unpatched systems.
Severity: High
Vulnerability Intelligence
1. CVE-2026-45586: Windows Collaborative Translation Framework (CTFMON) EoP
- Vulnerability Type: Elevation of Privilege (EoP)
- Exploit Name: “Green Plasma”
- Discovered/Leaked By: Nightmare Eclipse
- Impact: Allows an authorized, local attacker to bypass access controls and spawn a command shell with full SYSTEM permissions.
- Root Cause: Improper link resolution before file access (“link following”) within the Windows Collaborative Translation Framework.
- Context: This leak is part of a broader wave of protest disclosures by the researcher (alongside other strains like BlueHammer, MiniPlasma, RedSun, UnDefend, and YellowKey) targeting Microsoft’s bounty program handling.
2. CVE-2026-49160: HTTP.sys Denial of Service
- Vulnerability Type: Denial of Service (DoS)
- Exploit Name: “HTTP/2 Bomb”
- Impact: Allows an unauthorized network attacker to rapidly crash web servers, causing significant performance degradation or total service outages in under a minute.
- Root Cause: Uncontrolled resource consumption. The attack abuses HTTP/2 compression and traffic header management. By sending highly compressed, malicious headers, the attacker forces the server to allocate disproportionately massive amounts of memory. Attackers can manipulate flow-control settings to lock up this memory and prevent resource freeing.
3. CVE-2026-50507: Windows BitLocker Security Feature Bypass
- Vulnerability Type: Security Feature Bypass
- Exploit Name: “YellowKey”
- Discovered/Leaked By: Nightmare Eclipse
- Impact: Bypasses BitLocker full-disk encryption, granting physical/local attackers unrestricted command shell access to the protected drive.
- Scope: Primarily affects Windows 11 and Windows Server 2022/2025 deployments relying strictly on TPM-only protection.
- Root Cause: Protection mechanism failure during the boot cycle. An attacker can place specially crafted files on a USB drive or EFI partition, boot the machine into the Windows Recovery Environment (WinRE), and hold down the CTRL key to trigger an unrestricted command shell.
Recommendations
- Apply June 2026 Patch Tuesday updates across all Windows 11 and Windows Server 2022/2025 systems without delay.
- CVE-2026-49160: Alongside the patch, Microsoft introduced a new registry configuration setting, MaxHeadersCount, allowing administrators to strictly limit the number of headers accepted in HTTP/2 and HTTP/3 requests.
- CVE-2026-50507: For environments where patching cannot be immediately deployed, enforcing TPM+PIN multi-factor authentication instead of relying solely on TPM-only validation mitigates the attack vector.
Sources:
- https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-3-zero-day-200-flaws/
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-45586
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-49160
- https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-50507
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.
