Inside Microsoft’s Biggest Patch Tuesday: 200 Fixes and 3 Zero-Days

The Three Publicly Disclosed Zero-Days

Crucially, none of the three zero-day vulnerabilities were known to have been exploited in the wild before the patches were released .

CVE-2026-45586 — CTFMON Elevation of Privilege (GreenPlasma)

This is a "link following" flaw in the Windows Collaborative Translation Framework (CTFMON) that allows an authenticated attacker to escalate privileges locally to SYSTEM. Microsoft listed the reporter as anonymous, but security researchers quickly connected it to the “GreenPlasma” exploit publicly released by the researcher Nightmare Eclipse (also known in community discussions as “Chaotic Eclipse”). The disclosure was part of a campaign to protest Microsoft’s bug bounty and vulnerability disclosure programs .

CVE-2026-49160 — HTTP.sys Denial of Service (The “HTTP/2 Bomb”)

This is an uncontrolled resource consumption vulnerability (CWE-400) in the HTTP/2 protocol stack, assigned a CVSS score of 7.5. An unauthenticated remote attacker can send a small amount of data that forces the server to allocate a disproportionately large amount of memory. By manipulating HTTP/2 flow-control settings, an attacker can keep that memory tied up indefinitely . Discovered by Quang Luong and Codex of Calif.io, the attack can knock affected web servers offline in seconds . Microsoft introduced a new MaxHeadersCount registry setting (documented in KB5102602) to limit HTTP/2 and HTTP/3 request headers as a mitigation .

CVE-2026-50507 — BitLocker Security Feature Bypass (YellowKey)

This is a protection-mechanism failure that allows an unauthenticated attacker with physical access to bypass BitLocker encryption by exploiting the Windows Recovery Environment on TPM-only drives. This is the second exploit from the Nightmare Eclipse campaign fixed this month, publicly known as “YellowKey” .

The Nightmare Eclipse Campaign

The researcher Nightmare Eclipse publicly launched a wave of Windows zero-days—named BlueHammer, MiniPlasma, RedSun, UnDefend, GreenPlasma, and YellowKey—in protest of how Microsoft handles bug bounties. While Microsoft’s June patches addressed GreenPlasma and YellowKey, three others from the same campaign (BlueHammer, RedSun, and UnDefend) were reported as actively exploited in early June, prompting CISA to add them to its Known Exploited Vulnerabilities catalog .

What’s New in the Windows 11 Cumulative Updates

The mandatory June updates for Windows 11 delivered more than security fixes. Two primary cumulative updates were released: KB5094126 for versions 25H2 (build 26200.8457) and 24H2 (build 26100.8457), and KB5093998 for version 23H2 (build 22631.7079) . Microsoft also released an extended security update, KB5094127, for Windows 10 .

Key new features in the Windows 11 update include :

• Xbox Mode: A feature that provides an Xbox console-like experience on a PC, now rolling out to more devices.
• Shared Audio: Two people can listen to the same audio stream from one PC simultaneously using Bluetooth LE Audio.
• Task Manager NPU Monitoring: The app now shows NPU usage, dedicated/shared memory, and other metrics for neural processing units.
• Multi-App Camera: Allows multiple applications to access a camera stream at the same time.
• Performance Improvements: A new low-latency profile speeds up app launches and shell interactions like Start, Search, and Action Center.
• Setup Improvements: Users can now choose a custom name for their user folder during Windows Setup.

Broader Security Landscape: Adobe Joins the Fray

On the same day, Adobe released 11 security advisories plugging 123 vulnerabilities across products including Acrobat Reader, ColdFusion, InDesign, and Experience Manager. Of those, 47 were rated Critical and could lead to arbitrary code execution, privilege escalation, or denial-of-service .

Combined, Microsoft and Adobe pushed out fixes for a total of 329 vulnerabilities on June 9, 2026 . The broader ecosystem also saw action, with Google patching a massive 360 flaws in Microsoft Edge/Chromium earlier in the month—vulnerabilities that fall outside the standard Patch Tuesday count .