Microsoft shipped its largest Patch Tuesday on record today: 200 vulnerabilities, 33 rated Critical, and three publicly disclosed zero-days. None of the zero-days are known to be exploited yet, but the Critical list reads like a checklist of core infrastructure — HTTP.sys, Kerberos KDC, Active Directory Domain Services, Hyper-V, DHCP, and AKS.
The zero-days
CVE-2026-49160 — HTTP.sys denial of service (“HTTP/2 Bomb”). The HPACK/flow-control resource exhaustion technique disclosed by Calif researchers Quang Luong and Codex gets its Windows fix. Tiny requests force HTTP.sys to allocate disproportionately large header buffers, and manipulated flow-control windows keep that memory pinned until the server falls over. Alongside the patch, Microsoft introduced a new MaxHeadersCount registry setting (see KB5102602) to cap the number of headers accepted in HTTP/2 and HTTP/3 requests — worth setting on any internet-facing IIS or HTTP.sys-backed service even after patching.
CVE-2026-50507 — BitLocker security feature bypass. This is the fix for YellowKey, disclosed last month by researcher Nightmare Eclipse (also behind BlueHammer, MiniPlasma, RedSun, and UnDefend). A physical attacker boots into WinRE with crafted files on a USB drive or EFI partition and holds CTRL to pop a command shell with unrestricted access to encrypted drives. TPM-only BitLocker on Windows 11 and Server 2022/2025 is the exposed configuration; TPM+PIN was the interim mitigation and remains good practice.
CVE-2026-45586 — Windows Collaborative Translation Framework (CTFMON) elevation of privilege. A link-following flaw that takes an authorized attacker to SYSTEM. Publicly disclosed before today’s fix.
The Critical list is the real story
The 33 Critical flaws include 28 RCEs. For infrastructure teams, prioritize:
- CVE-2026-47291 — HTTP.sys RCE. Unauthenticated, network-reachable, and sitting in the kernel-mode driver that fronts IIS, WinRM, WSUS, and anything else using http.sys. Patch internet-facing Windows web tier first.
- CVE-2026-47288 — Kerberos KDC RCE and CVE-2026-45648 — Active Directory Domain Services RCE. Both put domain controllers in the blast radius; DC compromise is domain compromise.
- CVE-2026-45641, CVE-2026-47652, CVE-2026-45607 — Hyper-V RCEs. Three Critical guest-to-host paths. If you run multi-tenant or mixed-trust virtualization, these outrank almost everything else this month.
- CVE-2026-44815 — DHCP Client RCE. Client-side, network-triggered, on by default everywhere.
- CVE-2026-32193 — Azure Kubernetes Service RCE and CVE-2026-45476 — Azure Network Adapter (Linux MANA driver) EoP, a reminder that the Linux side of Azure estates needs this cycle too.
- Seven Critical Remote Desktop Client RCEs (CVE-2026-42985 and others) — a malicious RDP server compromising connecting clients. Jump-box and admin workstation fleets should patch early.
Also in the pile: seven on-prem Exchange CVEs (all Important), eight Secure Boot bypasses, two UEFI flaws, and Kerberos and TCP/IP DoS bugs.
What to do now
Patch domain controllers, Hyper-V hosts, and internet-facing web tier first; the HTTP.sys RCE plus the public HTTP/2 Bomb details make that combination the most likely to be weaponized quickly. Set MaxHeadersCount on HTTP/2- and HTTP/3-exposed services. If you’re on TPM-only BitLocker, deploy the update and move to TPM+PIN for portable hardware. Public disclosure means exploit development for all three zero-days started before today — assume PoCs land within days, not weeks.
For comparison: May’s release was 120 flaws with no zero-days, April’s was 167 with two. Counts exclude the ~360 Edge/Chromium fixes Google shipped this month.
References: BleepingComputer’s June 2026 Patch Tuesday report, Tenable’s analysis, MSRC advisories for CVE-2026-49160 and CVE-2026-50507, and KB5102602 on MaxHeadersCount.