James Vincent

June 2026 Microsoft Update Summary

I wouldn’t normally go to the trouble of documenting and summarising a patch release, because, so many other’s cover it, and well, personally, when Microsoft release an update, they’re pretty much self documenting and self explanatory.

That said, my recent YellowKey Mitigation remediation script has been getting some attention. And well, that’s now redundant, as YellowKey has been patched this week, in what is, by any measure, the largest Patch Tuesday release in the programme’s history! Surpassing the previous record set only in October 2025. Strap yourselves in, this one could be fun.

Microsoft patched 200 CVEs in this month’s release (give or take). Of those:

  • 33 are rated Critical
  • 166 are rated Important
  • 28 of the Critical-rated bugs are remote code execution vulnerabilities

The zero-days

This is where things get interesting, and where you need to pay attention regardless of your usual patching cadence.

Microsoft fixed six zero-day vulnerabilities this month, five publicly disclosed and one actively exploited in attacks. Here is a rundown of each.

CVE-2026-45586 – Windows CTFMON Elevation of Privilege (GreenPlasma)

This is a fix for the vulnerability publicly known as GreenPlasma, disclosed by security researcher Nightmare Eclipse. The issue lives in the Windows Collaborative Translation Framework (CTFMON) the process that supports voice and handwriting recognition.

The flaw stems from improper link resolution before file access (a “link following” issue), and successful exploitation gives an attacker a shell with SYSTEM privileges on a local machine. It carries a CVSSv3 score of 7.8, rated Important, and Microsoft has assessed it as “Exploitation More Likely.”

Nightmare Eclipse has been prolific recently, having also disclosed BlueHammer, RedSun, UnDefend, MiniPlasma, and YellowKey (also fixed today) largely in response to frustrations with Microsoft’s bug bounty and vulnerability disclosure programme. More on that below.

CVE-2026-45585 – Windows BitLocker Security Feature Bypass (YellowKey)

YellowKey is a BitLocker bypass disclosed by Nightmare Eclipse and patched today. The attack involves placing specially crafted files on a USB drive or EFI partition and booting into the Windows Recovery Environment (WinRE), where holding down the CTRL key triggers a command shell with unrestricted access to BitLocker-protected drives.

The flaw primarily affects systems using TPM-only BitLocker protection on Windows 11 and Windows Server 2022/2025. If your organisation relies on TPM-only rather than TPM+PIN, this one deserves a look at your risk posture.

Microsoft shared temporary mitigations back in May, including switching to TPM+PIN authentication, but the full fix is part of today’s update.

CVE-2026-50507 – Windows BitLocker Security Feature Bypass (Bitskrieg)

A second BitLocker bypass in the same month. This one, believed to address the Bitskrieg vulnerability disclosed by Windows security researcher Jonas Lykkegaard last Friday, also allows a local attacker with physical access to get around BitLocker device encryption.

There is a practical catch here worth being aware of. Vulnerability analyst Will Dormann has flagged that the fix for CVE-2026-50507 may cause some Windows devices to display the following error:

“A required file couldn’t be accessed because your BitLocker key wasn’t loaded correctly.”

If you or your users see this post-update, the fix is straightforward. Run these commands from an elevated CMD prompt:

reagentc /disable
reagentc /enable

Worth documenting and sharing with your service desk ahead of rollout, just in case.

CVE-2026-49160 – HTTP.sys Denial of Service (HTTP/2 Bomb)

This one patches a technique dubbed the “HTTP/2 Bomb”, researched and disclosed by Quang Luong and Codex of Calif.io. The attack abuses how the HTTP/2 protocol handles header compression, allowing an attacker to send very small amounts of data that force servers to allocate disproportionately large amounts of memory. Manipulating flow-control settings can also keep that memory tied up, potentially causing performance degradation or outages.

Microsoft has introduced a new MaxHeadersCount registry setting to limit the number of HTTP/2 and HTTP/3 request headers accepted by the HTTP server, along with supporting guidance in KB5102602. It is rated Important.

CVE-2020-17103 / MiniPlasma – Windows Cloud Files Mini Filter Driver Elevation of Privilege

An interesting one. This is technically a re-fix (or a first-proper-fix) for a vulnerability originally assigned the identifier CVE-2020-17103 a flaw in the Windows Cloud Files Mini Filter Driver first reported to Microsoft by Google Project Zero researcher James Forshaw back in September 2020.

At the time it was reportedly patched in December 2020. However, Nightmare Eclipse demonstrated that the flaw remained exploitable either the original patch was incomplete, or it was silently reintroduced. Microsoft’s guidance is explicit: to fully address MiniPlasma, install the June 2026 updates. Standard EoP giving SYSTEM access, same pattern as the others.

CVE-2026-42897 – Microsoft Exchange Server Spoofing (Actively Exploited)

This is the one being actively exploited in the wild, and it is a little different from the others.

The flaw is a spoofing vulnerability in Microsoft Exchange Server that allows an attacker to send a specially crafted email. If the recipient opens it in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can execute in the browser context.

Microsoft is still working on a full update for this one, but mitigations are being pushed through the Exchange Emergency Mitigation Service (EEMS), which should be enabled by default on on-premises Exchange deployments. Make sure it is. If you are Exchange Online only, you are not directly affected, but it is worth confirming your posture.

Other areas worth your attention

Beyond the zero-days, a few other clusters in this release are worth scanning.

Remote Desktop Client received 11 CVEs this month, including several Critical-rated RCE vulnerabilities. If RDP is in play in your environment and it almost certainly is in some form this should feature in your priority list.

Windows Hyper-V has three Critical RCE vulnerabilities capable of VM guest escape, allowing code execution on the host. If you run Hyper-V in production, these need to be addressed promptly.

Microsoft Office has a significant number of patches this cycle, including Critical-rated RCEs across Outlook, Word, and general Office components. File-based attack vectors remain a reliable route for threat actors, and this month’s Office fixes reflect that.

Active Directory Domain Services has a Critical RCE, as does Windows Kerberos KDC, Windows Deployment Services, DHCP Client, and Windows Media. This is not a month to deprioritise server patching.

A note on Nightmare Eclipse and the zero-day disclosures

It is worth pausing on the pattern here. Several of this month’s zero-days – GreenPlasma, YellowKey, MiniPlasma – all trace back to the same researcher, Nightmare Eclipse, who has publicly stated these disclosures are a form of protest against Microsoft’s handling of its bug bounty programme and vulnerability disclosure processes.

Whether you agree with the approach or not, the practical consequence is that proof-of-concept exploit code for these vulnerabilities has been in the public domain for some time before Microsoft shipped a fix. That changes the risk calculus. These are not theoretical issues – they are documented, demonstrable, and in some cases have had working exploits circulating publicly.

For environments with strict patching SLAs, that context matters when prioritising this cycle.

What to do

From a Device Management perspective:

  • Prioritise deployment of this month’s cumulative updates across Windows 11 and Windows Server endpoints. The KBs to look for are KB5094126 and KB5093998 for Windows 11, and KB5094127 for Windows 10 ESU.
  • Check your BitLocker configuration. If you are using TPM-only protection, the YellowKey patch is directly relevant, and this might be a good trigger to review whether TPM+PIN should be in scope.
  • Prepare your service desk for the Bitskrieg fix side effect. The reagentc workaround is simple but needs to be documented and accessible.
  • Validate Exchange EEMS is active if you have on-premises Exchange, given the actively exploited spoofing vulnerability.
  • Test before broad deployment where possible – 200 CVEs in a single release is the kind of thing that can introduce unexpected interactions. Pilot rings and staged rollouts are your friends this month.

If you use Windows Autopatch or Intune Update Rings, you will want to keep a close eye on your deployment reporting and be ready to act on any early signals from your pilot population before pushing wider.

Useful links

James avatar

James

I am a UK based Modern Workplace Architect, with an enthusiasm for Device Management.

Leave a Reply

Your email address will not be published. Required fields are marked *