Microsoft Patches 200 Flaws Including Three Zero-Days
6
sources tracking this story
Key insights
- ZDI's 571-CVE total (including Adobe and Chromium) versus BleepingComputer's 200 and Tenable's 198 reflects a scope gap that directly reshapes enterprise prioritization.
- MiniPlasma (cldflt.sys SYSTEM privilege escalation, actively exploited) was not patched in June despite three sibling Chaotic Eclipse zero-days being fixed.
- ZDI flagged three CVSS 9.8 bugs, including a wormable Windows Kernel RCE and a DHCP Client RCE, that most outlets missed entirely.
Why this matters
The June 2026 Patch Tuesday is the largest single-vendor monthly release since ZDI began tracking in 2017, with ZDI counting 208 Microsoft CVEs and 571 total when Adobe and Chromium are included. Three zero-days from the Chaotic Eclipse researcher wave were patched, but a fourth, MiniPlasma (cldflt.sys SYSTEM privilege escalation), remains actively exploited and unaddressed. Krebs on Security and The Hacker News both attribute the record CVE volume to AI tools accelerating vulnerability discovery across Microsoft's engineering staff and external researchers, a trend Tenable's Satnam Narang calls structural and permanent. Adobe released 11 concurrent advisories covering 123 CVEs on the same day, 47 of them critical, confirming this is a multi-vendor remediation event that amplifies enterprise patch load well beyond the Microsoft headline count.
Summary
Microsoft's June 2026 Patch Tuesday fixes 200 CVEs with three publicly known zero-days.
YellowKey (CVE-2026-50507) exploits the Windows Recovery Environment to bypass BitLocker on TPM-only drives. The HTTP/2 bomb (CVE-2026-49160), found by Quang Luong and Codex of Calif.io, turns minimal attacker data into disproportionate server memory load; Microsoft's mitigation adds a MaxHeadersCount registry key. CTFMON (CVE-2026-45586) allows local privilege escalation via improper link resolution, credited to an anonymous researcher.
Essentially: (Microsoft, Calif.io) 33 Critical patches, 55 RCE CVEs, three zero-day attack classes.
- YellowKey requires physical access, not remote exploitation
- HTTP/2 fix needs a MaxHeadersCount registry change beyond standard patching
- 65 of 200 CVEs are Elevation of Privilege, the largest single category
27 spoofing and 19 security feature bypass CVEs round out a batch that touches every Windows deployment layer.
Potential risks and opportunities
Risks
- Organizations using TPM-only BitLocker without additional pre-boot authentication remain exposed to physical-access drive decryption during the patch deployment window, with enterprise laptop fleets at particular risk
- Windows-based web server operators who patch without configuring MaxHeadersCount remain vulnerable to HTTP/2 bomb memory exhaustion (CVE-2026-49160) even after applying the June update
- With 28 Critical Remote Code Execution CVEs in a single batch, organizations running delayed patch cycles face compounding exposure across every Windows attack surface this month
Opportunities
- Endpoint and physical security vendors can position pre-boot integrity monitoring as a direct defense against YellowKey-class attacks targeting enterprise laptop fleets
- Calif.io gains public visibility as a named contributor to a high-profile Patch Tuesday disclosure, opening doors for enterprise security consulting and research partnerships
- SIEM and configuration management vendors can surface the MaxHeadersCount registry requirement as a post-patch validation check, creating an audit-and-verify workflow for Windows web server teams
What we don't know yet
- Attribution for CVE-2026-45586 (CTFMON EoP): credited to an anonymous researcher with no organization or country disclosed
- Active exploitation status: whether any of the three zero-days are being exploited in the wild is not addressed in the article
- Full Windows version scope of YellowKey (CVE-2026-50507): which specific versions beyond TPM-only BitLocker configurations are affected is not detailed
What others are reporting
-
Krebs on Security Read →
Broadens the event to a multi-vendor record day including Adobe and Google Chrome, and frames the CVE surge as a structural AI-acceleration effect with no self-correction expected.
Pandora's proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board.
-
Zero Day Initiative Read →
Sets the authoritative scope at 571 total CVEs and flags three CVSS 9.8 bugs most outlets missed, including a wormable Windows Kernel RCE and a DHCP Client RCE that bypassed mainstream coverage.
This month, Microsoft released a new record 208 CVEs across Windows and Windows components, Office and Office Components, Microsoft Edge.
-
The Hacker News Read →
Names the researcher behind the zero-day cluster as Chaotic Eclipse and maps all four exploits (YellowKey, GreenPlasma, MiniPlasma, RoguePlanet) to their CVEs in one place.
An attacker could exploit this vulnerability by sending specially crafted network traffic to a vulnerable Windows system.
-
Dark Reading Read →
Reports the one Chaotic Eclipse zero-day Microsoft did not fix in June: MiniPlasma in cldflt.sys, confirmed working on the latest Windows 11 Pro with a standard user account.
BleepingComputer previously confirmed the exploit works on the latest Windows 11 Pro with a standard user account.
-
Qualys Read →
The only source treating Microsoft and Adobe as a combined release, with 94 custom mitigations for vulnerabilities that cannot be immediately patched.
This month's release addresses 206 vulnerabilities, including 33 critical and 167 important-severity vulnerabilities.
Originally reported by bleepingcomputer.com
Read the original article →Original headline: Microsoft June 2026 Patch Tuesday: 200 Flaws Fixed Including Three Zero-Days — YellowKey BitLocker Bypass, CTFMON Privilege Escalation, and HTTP/2 Bomb