Microsoft Patches 200 Flaws Including Three Zero-Days
Key insights
- Microsoft fixed 200 CVEs in June 2026, with 33 Critical patches covering 28 Remote Code Execution and 4 Elevation of Privilege vulnerabilities.
- YellowKey (CVE-2026-50507) is a physical-access BitLocker bypass exploiting the Windows Recovery Environment on TPM-only protected drives.
- Researchers Quang Luong and Codex of Calif.io discovered the HTTP/2 bomb flaw; Microsoft mitigated it with a new MaxHeadersCount registry setting.
Why this matters
The YellowKey BitLocker bypass matters to any organization using TPM-only BitLocker on laptops, since physical access combined with the Windows Recovery Environment is sufficient to read encrypted drives without credentials. The HTTP/2 bomb (CVE-2026-49160) requires both patching and a MaxHeadersCount registry configuration to fully close, meaning server operators who stop at patch deployment remain exposed to memory exhaustion attacks. The 65 Elevation of Privilege and 55 Remote Code Execution CVEs in a single cycle underscore that Windows patch debt compounds quickly, including for AI infrastructure teams running Windows workloads at scale.
Summary
Microsoft's June 2026 Patch Tuesday fixes 200 CVEs with three publicly known zero-days.
YellowKey (CVE-2026-50507) exploits the Windows Recovery Environment to bypass BitLocker on TPM-only drives. The HTTP/2 bomb (CVE-2026-49160), found by Quang Luong and Codex of Calif.io, turns minimal attacker data into disproportionate server memory load; Microsoft's mitigation adds a MaxHeadersCount registry key. CTFMON (CVE-2026-45586) allows local privilege escalation via improper link resolution, credited to an anonymous researcher.
Essentially: (Microsoft, Calif.io) 33 Critical patches, 55 RCE CVEs, three zero-day attack classes.
- YellowKey requires physical access, not remote exploitation
- HTTP/2 fix needs a MaxHeadersCount registry change beyond standard patching
- 65 of 200 CVEs are Elevation of Privilege, the largest single category
27 spoofing and 19 security feature bypass CVEs round out a batch that touches every Windows deployment layer.
Potential risks and opportunities
Risks
- Organizations using TPM-only BitLocker without additional pre-boot authentication remain exposed to physical-access drive decryption during the patch deployment window, with enterprise laptop fleets at particular risk
- Windows-based web server operators who patch without configuring MaxHeadersCount remain vulnerable to HTTP/2 bomb memory exhaustion (CVE-2026-49160) even after applying the June update
- With 28 Critical Remote Code Execution CVEs in a single batch, organizations running delayed patch cycles face compounding exposure across every Windows attack surface this month
Opportunities
- Endpoint and physical security vendors can position pre-boot integrity monitoring as a direct defense against YellowKey-class attacks targeting enterprise laptop fleets
- Calif.io gains public visibility as a named contributor to a high-profile Patch Tuesday disclosure, opening doors for enterprise security consulting and research partnerships
- SIEM and configuration management vendors can surface the MaxHeadersCount registry requirement as a post-patch validation check, creating an audit-and-verify workflow for Windows web server teams
What we don't know yet
- Attribution for CVE-2026-45586 (CTFMON EoP): credited to an anonymous researcher with no organization or country disclosed
- Active exploitation status: whether any of the three zero-days are being exploited in the wild is not addressed in the article
- Full Windows version scope of YellowKey (CVE-2026-50507): which specific versions beyond TPM-only BitLocker configurations are affected is not detailed
Originally reported by bleepingcomputer.com
Read the original article →Original headline: Microsoft June 2026 Patch Tuesday: 200 Flaws Fixed Including Three Zero-Days — YellowKey BitLocker Bypass, CTFMON Privilege Escalation, and HTTP/2 Bomb