Microsoft June 2026 Patch Tuesday: 6 Zero-Days and 200 Vulnerabilities Demand Immediate Action
Microsoft has released its June 2026 Patch Tuesday security updates, closing 200 vulnerabilities across its product ecosystem, including six zero-day flaws, one of which is confirmed to be actively exploited in live attacks. This is one of the heaviest Patch Tuesday releases of 2026, and the scale of exposure demands urgent attention from Canadian IT administrators, system owners, and security operations teams.
Of the 200 flaws addressed, 33 are rated Critical. That critical tier breaks down as 28 remote code execution (RCE) vulnerabilities, four elevation of privilege flaws, and one information disclosure issue. The full vulnerability count by category includes 65 elevation of privilege, 55 remote code execution, 30 information disclosure, 27 spoofing, 19 security feature bypass, and 7 denial of service vulnerabilities.
Note: This count excludes flaws fixed earlier in June across Mariner, Azure HorizonDB, Microsoft Copilot products, Exchange Online, and Microsoft Graph, as well as 360 Microsoft Edge/Chromium flaws resolved by Google.
Six Zero-Days Patched: A Full Breakdown
GreenPlasma: Windows CTFMON Privilege Escalation
CVE-2026-45586 patches a Windows Collaborative Translation Framework (CTFMON) elevation of privilege flaw known publicly as GreenPlasma. The vulnerability stems from improper link resolution before file access, letting an authenticated local attacker escalate to SYSTEM-level privileges. This flaw was disclosed by security researcher Nightmare Eclipse, who has released multiple Windows zero-day exploits in protest of Microsoft’s bug bounty and vulnerability disclosure policies.
HTTP/2 Bomb: Denial-of-Service Against Windows Servers
CVE-2026-49160 addresses the HTTP/2 Bomb, a denial-of-service flaw in HTTP.sys disclosed by researchers at offensive security firm Calif.io. The attack exploits the way HTTP/2 compresses and manages traffic headers, allowing a small volume of inbound traffic to force the target server into allocating a disproportionately large amount of memory. Attackers can further manipulate flow-control settings to prevent memory from being freed, causing sustained degradation or outright service failure. Microsoft has responded by introducing a new MaxHeadersCount registry setting, detailed in support bulletin KB5102602, to cap the number of accepted headers in HTTP/2 and HTTP/3 requests.
YellowKey: BitLocker Bypass via Physical Access
CVE-2026-45585 fixes the YellowKey BitLocker security bypass, another public disclosure from Nightmare Eclipse. The flaw allowed a physically present attacker to place specially crafted files on a USB drive or EFI partition and then boot into the Windows Recovery Environment, where holding the CTRL key opened a command shell with unrestricted access to BitLocker-protected drives. Systems using TPM-only BitLocker protection on Windows 11 and Windows Server 2022/2025 are primarily affected. Microsoft had issued temporary mitigations in May 2026; this update delivers the full resolution.
Bitskrieg: A Second BitLocker Bypass
CVE-2026-50507 patches a second BitLocker bypass vulnerability believed to address the flaw publicly disclosed as bitskrieg by Windows security researcher Jonas Lykkegaard just days before this update. Like YellowKey, physical access to the device is required. Administrators should be aware that applying this patch may trigger a Windows error indicating the BitLocker key was not loaded correctly. The fix is straightforward: run the following commands in an elevated command prompt to disable and re-enable WinRE:
reagentc /disable
reagentc /enableMini-Plasma: A 2020 Bug That Was Never Fully Fixed
CVE-2020-17103 closes a Windows Cloud Files Mini Filter Driver elevation of privilege flaw called Mini-Plasma, also brought to light by Nightmare Eclipse. The vulnerability was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and was reportedly patched in December of that year. Nightmare Eclipse demonstrated the flaw remained exploitable in 2026, suggesting the original fix was either incomplete or inadvertently reintroduced during subsequent updates. Microsoft now explicitly recommends the June 2026 updates to fully address it.
CVE-2026-42897: Exchange Server Spoofing, Actively Exploited
CVE-2026-42897 is the only zero-day in this batch with confirmed active exploitation. This Microsoft Exchange Server spoofing vulnerability allows arbitrary JavaScript to run in a victim’s browser when a specially crafted email is opened in Outlook Web Access (OWA). Microsoft has not yet released a standalone patch and is currently pushing interim mitigations through the Exchange Emergency Mitigation Service (EEMS), which should be enabled by default on affected servers. Microsoft has not disclosed the identity of the threat actor behind the active exploitation.
Other High-Priority Vulnerabilities This Month
Several non-zero-day Critical flaws also warrant urgent attention. The Remote Desktop Client carries nine RCE vulnerabilities, including Critical-rated CVE-2026-44799, CVE-2026-44801, and CVE-2026-42992. Windows Hyper-V has multiple Critical RCE flaws, including CVE-2026-45607 and CVE-2026-47652. CVE-2026-45648, a Critical Windows Active Directory Domain Services RCE vulnerability, poses a serious lateral movement risk in enterprise environments. Microsoft Office, including Word, Outlook, and Excel, carries a substantial load with Critical RCE flaws such as CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635. SharePoint Server alone has over 20 spoofing and RCE vulnerabilities addressed this month.
Canadian Impact: Exchange, BitLocker, and Compliance Obligations
For Canadian organizations, CVE-2026-42897 is the most urgent item on the June 2026 patch list. On-premises Exchange Server deployments across federal and provincial government agencies, healthcare networks, financial institutions, and post-secondary education institutions are directly exposed. Under PIPEDA (Personal Information Protection and Electronic Documents Act) and provincial privacy laws, a breach arising from a known unpatched vulnerability carries real risk of regulatory scrutiny and mandatory breach notification.
The Canadian Centre for Cyber Security (CCCS) identifies timely patch management as one of its Top 10 IT Security Actions. This release, featuring both actively exploited and publicly known zero-days, is precisely the kind of event that guidance is designed for. Organizations in critical infrastructure sectors, including energy, telecommunications, and financial services, should treat the Hyper-V and Active Directory RCE flaws as high-priority due to their potential for environment-wide compromise.
The dual BitLocker bypasses (YellowKey and bitskrieg) are especially relevant for Canadian organizations operating fleets of laptops or any device that may be subject to physical access risk, including field workers in healthcare, government, and public safety.
Other Vendor Security Updates, June 2026
Canadian IT teams should also process patches from several other vendors this month. Cisco fixed a critical Unified CM flaw with an available proof-of-concept exploit and patched an SD-WAN zero-day confirmed as exploited in active attacks. Check Point addressed a Remote Access VPN flaw linked to the Qilin ransomware gang. Veeam patched a critical RCE vulnerability in Backup and Replication affecting domain-joined servers, a high-value target in ransomware campaigns. Google fixed an Android zero-day in its June security bulletin and patched a fifth Chrome zero-day exploited in the wild this calendar year. SAP released fixes for four critical flaws, and Ubiquiti patched three maximum-severity vulnerabilities in UniFi OS that could allow unauthenticated root access.
Key Takeaways
- Microsoft’s June 2026 Patch Tuesday patches 200 vulnerabilities, including 33 rated Critical, making it one of the largest releases of the year.
- Six zero-days are included: five publicly disclosed and one, CVE-2026-42897 (Exchange Server), confirmed as actively exploited in the wild.
- Three zero-days (GreenPlasma, YellowKey, Mini-Plasma) were publicly disclosed by the researcher Nightmare Eclipse as part of a series of protest disclosures against Microsoft’s bug bounty program.
- Two separate BitLocker bypasses (YellowKey and bitskrieg) directly threaten Canadian organizations with laptop fleets or physical access risk, especially in healthcare, government, and public safety.
- PIPEDA and provincial privacy laws make prompt patching of the actively exploited Exchange flaw a compliance obligation, not just a best practice.
- The June 2026 cycle includes critical patches from Cisco, Veeam, Check Point, Google, and SAP, all of which should be applied alongside the Microsoft updates.
- The CCCS recommends patch management as a top-tier defensive control; critical and actively exploited flaws should be addressed within 24 to 72 hours.
What You Should Do Now
- Deploy Microsoft’s June 2026 Patch Tuesday updates immediately across all Windows environments, prioritizing Exchange Server, Hyper-V hosts, and Active Directory domain controllers.
- Confirm the Exchange Emergency Mitigation Service is active on all on-premises Exchange Server deployments to receive interim protections for the actively exploited CVE-2026-42897.
- Audit BitLocker configurations across your device fleet. Move from TPM-only protection to TPM+PIN authentication on all laptops and portable devices to reduce exposure to YellowKey and bitskrieg-style physical access attacks.
- Apply the MaxHeadersCount registry setting from KB5102602 on any Windows Server instances running IIS or exposed HTTP/2 services to mitigate the HTTP/2 Bomb denial-of-service risk.
- Patch Cisco (Unified CM and SD-WAN), Veeam Backup and Replication, and Check Point VPN alongside your Microsoft updates, as all carry critical or actively exploited vulnerabilities this month.
- Maintain timestamped records of all patch deployments. Under PIPEDA and sector-specific compliance frameworks, documented evidence of timely patching is a key element of breach prevention posture.
- If anomalous activity is detected on Exchange, RDP endpoints, or Office environments following these disclosures, escalate to your security operations team immediately and consider contacting the Canadian Centre for Cyber Security at cyber.gc.ca for incident support.