Microsoft has released security updates addressing a record 206 vulnerabilities across its software ecosystem, including three publicly disclosed zero day flaws and multiple critical remote code execution vulnerabilities affecting Windows systems. Of the total flaws patched during the June 2026 security release cycle, 39 have been classified as Critical while 167 were marked Important in severity. According to Microsoft, the vulnerabilities span a broad range of security risks, including 63 privilege escalation issues, 56 remote code execution flaws, 30 information disclosure vulnerabilities, 27 spoofing issues, 20 security feature bypass weaknesses, seven denial of service flaws, and three tampering vulnerabilities. The release also includes fixes for two non Microsoft Common Vulnerabilities and Exposures entries affecting Windows Kernel privilege escalation and UEFI Secure Boot bypass mechanisms, while more than 350 security issues were separately addressed in Chromium, the browser engine used by Microsoft Edge.
Among the most severe flaws patched this month is CVE 2026 45657, a Windows Kernel use after free vulnerability carrying a CVSS severity score of 9.8 that could allow remote code execution through specially crafted network traffic. Microsoft explained that attackers may exploit the flaw by targeting how Windows systems process specific TCP or IP data, potentially enabling system level code execution without requiring login credentials or direct user interaction. Other major vulnerabilities highlighted in the release include CVE 2026 47291, an integer overflow issue in Windows HTTP.sys, and CVE 2026 44815, a stack based buffer overflow vulnerability affecting Windows DHCP Client. Security experts noted that CVE 2026 44815 presents significant risk because DHCP remains a core networking function and exploitation could potentially lead to malware deployment, server compromise, service disruption, unauthorized system access, and broader network infiltration. Because exploitation requires no credentials or user activity, systems relying on DHCP services are being treated as high priority targets for patching.
Microsoft also issued updates for several BitLocker security feature bypass vulnerabilities, including CVE 2026 45585, which gained public attention following the release of a proof of concept exploit known as YellowKey by security researcher Chaotic Eclipse, also known as Nightmare Eclipse. Additional bypass vulnerabilities addressed include CVE 2026 45655, CVE 2026 45658, and CVE 2026 50507, all of which could allow attackers with physical access to bypass device encryption protections and gain unauthorized access to encrypted data. Security researcher Will Dormann indicated that CVE 2026 50507 may address a BitLocker bypass method called bitskrieg, while Microsoft confirmed that CVE 2026 50507, CVE 2026 49160, and CVE 2026 45586 were publicly disclosed zero day vulnerabilities at the time of patch release. Microsoft also introduced mitigation steps for CVE 2026 49160, a denial of service issue linked to an HTTP2 based attack technique known as HTTP2 Bomb that can exhaust server memory within seconds. To reduce risk, the company added a new registry setting called MaxHeadersCount to restrict HTTP header processing for HTTP2 and HTTP3 traffic.
The June 2026 updates further addressed vulnerabilities associated with GreenPlasma and MiniPlasma, exploits publicly linked to researcher Chaotic Eclipse. CVE 2026 45586 is believed to patch GreenPlasma, a privilege escalation weakness affecting Windows Collaborative Translation Framework or CTFMON, while MiniPlasma was identified as an incomplete fix for an older vulnerability originally addressed in 2020. Microsoft recommended immediate installation of the latest updates to fully secure affected systems. Cybersecurity researchers also pointed to artificial intelligence assisted vulnerability discovery as a major factor behind the rising number of disclosed flaws. Experts from Tenable and TrendAI’s Zero Day Initiative stated that increasingly advanced AI models are accelerating security flaw discovery at a pace that continues to push patch volumes higher. The update cycle also arrives as Chaotic Eclipse released proof of concept details for another Microsoft Defender zero day called RoguePlanet, described as a race condition vulnerability capable of launching a Windows command prompt with SYSTEM level privileges.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
