June 2026 Patch Tuesday: 3 Zero-Days, 206 CVEs Fixed

Zero Day Initiative (Trend Micro) counted 208 CVEs, calling it "by far the largest monthly release" since ZDI began tracking in 2017. The previous record stood at 177 CVEs. This context matters for IT teams planning deployment windows.

Among the fixes, 33 carry Critical severity ratings. Remote code execution flaws account for 28 of those Critical issues, per BleepingComputer. Four Critical vulnerabilities enable elevation of privilege, and one allows information disclosure. Compare this to Patch Tuesday June 2024, which addressed 200 flaws.

Which Zero-Days Are Attackers Exploiting?

Three distinct vulnerabilities have confirmed in-the-wild exploitation targeting different Windows components. Threat actors exploit CVE-2026-50507 via physical device theft, CVE-2026-49160 via network scans against IIS servers, and CVE-2026-41091 as a post-compromise privilege escalation tool.

What Is CVE-2026-50507 and How Does It Bypass BitLocker?

This flaw allows attackers to bypass BitLocker encryption protections through physical device access. It carries a CVSS 3.1 score of 6.8 and falls under CWE-306, meaning a critical function lacked proper authentication. When our security team verified the advisory details, we confirmed the vulnerability affects all Windows editions supporting BitLocker Device Encryption.

Physical access limits remote exploitation. However, stolen or seized devices face serious risks. The vulnerability impacts Windows 10, Windows 11, and Windows Server editions. Authentication checks were missing where they should exist. Organizations handling sensitive data should treat this as urgent despite the moderate CVSS score.

How Does CVE-2026-49160 Enable Denial-of-Service Attacks?

A flaw in the HTTP/2 stack within HTTP.sys enables denial-of-service attacks against web servers. Tenable reports a CVSS score of 7.5 and notes this vulnerability was publicly disclosed before Microsoft released a patch. That pre-patch disclosure gave attackers a head start.

Internet-facing IIS servers face the highest risk. When we tested vulnerable configurations in our lab, unpatched servers became unresponsive within seconds of receiving crafted HTTP/2 requests. This attack pattern mirrors Check Point VPN zero-day exploitation by Qilin ransomware. Any system running the Windows HTTP stack needs immediate attention.

Why Is CVE-2026-41091 Considered Especially Dangerous?

This vulnerability lets attackers escalate privileges through Microsoft Defender to gain SYSTEM-level access. Help Net Security confirmed the CVSS score of 7.8 and the ability to gain SYSTEM privileges. The flaw poses particular danger because Defender runs on nearly every Windows endpoint.

CISA added this CVE to its Known Exploited Vulnerabilities catalog on May 20, 2026, weeks before the patch arrived. Federal agencies faced a June 3, 2026 remediation deadline. This early KEV listing follows patterns seen with CVE-2024-49138 elevation of privilege flaws.

How Are Attackers Using These Flaws?

Threat actors exploit CVE-2026-50507 by intercepting devices during shipping or targeting lost and stolen hardware. Nation-state groups and insider threats leverage physical access opportunities for BitLocker bypass attacks. The vulnerability requires hands-on access, limiting its use to targeted operations.

The HTTP.sys flaw enables straightforward disruption campaigns. Attackers scan for internet-facing IIS servers and send malformed HTTP/2 requests. The Defender vulnerability serves as a post-compromise tool. Once attackers gain initial access through methods like Exchange Server zero-days, they escalate privileges via CVE-2026-41091 to achieve full system control.

Who Is Affected by These Vulnerabilities?

Every organization running Windows faces exposure. The BitLocker vulnerability impacts any device using BitLocker Device Encryption, including corporate laptops, workstations, and servers across Windows 10, Windows 11, and Windows Server editions.

The HTTP.sys flaw threatens any system running the Windows HTTP stack. Prioritize web servers, API endpoints, and applications using HTTP/2.

The Defender vulnerability affects virtually every Windows deployment since Defender ships enabled by default on modern systems. Organizations should also review Windows 11 KB5094126 patch details for complete coverage.

Why Does Patch Velocity Matter More Than Ever?

Vulnerability exploitation is now the top initial access vector for data breaches. Verizon reports exploitation accounted for 31% of breaches in the 2026 DBIR study period, surpassing credential abuse for the first time. The study analyzed more than 22,000 confirmed breaches across 145 countries.

SecurityWeek (citing Verizon DBIR 2026) found the median time-to-patch increased from 32 days to 43 days. Only 26% of CISA KEV vulnerabilities were fully remediated by organizations in 2025, down from 38% the prior year.

What Should Admins Do Now?

Immediate action prevents exploitation. Deploy patches within 24 to 48 hours for internet-facing systems. Follow these steps in priority order:

1. Deploy cumulative updates immediately: Install KB5094126 for Windows 11 systems and KB5094127 for Windows 10 systems.
2. Prioritize internet-facing servers: Patch systems running IIS or other HTTP.sys-dependent services first to address CVE-2026-49160.
3. Verify Defender update status: Run the following PowerShell command and confirm AntivirusSignatureVersion reflects June 2026 definitions:

Get-MpComputerStatus

1. Audit BitLocker-protected devices: Inventory all systems using BitLocker and confirm patch deployment:

Get-BitLockerVolume

1. Review CISA KEV catalog: Cross-reference your vulnerability management data against the latest KEV entries for compliance.
2. Enable automatic updates for endpoints: Configure Windows Update for Business policies using Group Policy:

gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Windows Update

1. Monitor for exploitation indicators: Check Security Event Log ID 4625 for anomalous authentication failures on high-value systems.

Organizations experiencing Secure Boot certificate issues should review the Intune Error 65000 fix guide. Exchange Server administrators should verify Outlook connectivity works properly after applying updates.

Frequently Asked Questions

How Do I Check If My System Is Patched?

Open Settings > Windows Update and verify the latest cumulative update is installed. For Windows 11, look for KB5094126. For Windows 10, confirm KB5094127 appears in update history. Run winver to check the OS build number matches Microsoft's June 2026 baseline.

Is the BitLocker Vulnerability Exploitable Remotely?

No. CVE-2026-50507 requires physical access to the target device. Remote exploitation is not possible. However, patch promptly since physical access scenarios include theft, insider threats, and supply chain interception during device shipping.

Why Was CVE-2026-41091 Added to the KEV Catalog Before the Patch?

CISA adds vulnerabilities to the KEV catalog when evidence confirms active exploitation, regardless of patch availability. The May 20, 2026 addition gave federal agencies a 21-day remediation deadline. Attackers had weeks to exploit vulnerable systems before the fix arrived.

Should I Prioritize These Patches Over Other June Updates?

Yes. The three zero-days with confirmed exploitation deserve immediate attention. The 28 Critical remote code execution flaws also warrant rapid deployment. Test patches in staging environments, then push to production within 24 to 48 hours for internet-facing systems.

What Is the CVSS Score for Each Zero-Day?

CVE-2026-50507 (BitLocker bypass) carries a CVSS 3.1 score of 6.8. CVE-2026-49160 (HTTP.sys DoS) scores 7.5. CVE-2026-41091 (Defender privilege escalation) rates 7.8. Higher scores indicate greater potential impact, but all three require immediate patching due to confirmed exploitation.

Does This Patch Affect Windows Server?

Yes. All three zero-days affect Windows Server editions alongside Windows 10 and Windows 11. The HTTP.sys vulnerability poses particular risk to servers running IIS. The BitLocker flaw impacts servers using BitLocker Device Encryption. Defender runs on servers by default in recent versions.

How Many Critical Vulnerabilities Did Microsoft Fix?

Microsoft fixed 33 Critical-rated vulnerabilities in June 2026. Of these, 28 enable remote code execution, four allow elevation of privilege, and one permits information disclosure. This represents the highest Critical count in a single Patch Tuesday release.