**Microsoft** has rolled out its **June 2026 Patch Tuesday** updates, a critical release addressing a total of 200 security vulnerabilities. Among these are 33 classified as "Critical," including 28 remote code execution (RCE) flaws, four elevation of privilege (EoP) vulnerabilities, and one information disclosure flaw. This month's update also specifically tackles three publicly disclosed zero-day vulnerabilities, none of which are currently known to have been exploited in active attacks. It's important to note that this count exclusively covers vulnerabilities patched by **Microsoft** today. It excludes fixes for **Mariner**, **Azure HorizonDB**, **Microsoft Copilot**, **Copilot Chat**, **M365 Copilot**, **Microsoft Exchange Online**, and **Microsoft Graph** that were addressed earlier in the month. Additionally, a massive 360 **Microsoft Edge**/**Chromium** flaws patched by **Google** this month are also excluded from this particular roundup. ## The Zero-Day Landscape This **Patch Tuesday** highlights three publicly disclosed zero-day vulnerabilities, underscoring the ongoing challenges in software security. **Microsoft** defines a zero-day as a flaw that is publicly disclosed or actively exploited before an official fix is available. ### Windows CTFMON: A Path to SYSTEM Privileges One significant zero-day patched is a **Windows CTFMON** vulnerability that could grant SYSTEM privileges to a local attacker. Described by **Microsoft** as an 'Improper link resolution before file access ('link following') in **Windows Collaborative Translation Framework**,' this flaw allows an authorized attacker to elevate privileges locally. The vulnerability was credited to an anonymous researcher, with no further details on its disclosure provided. ### HTTP/2 Bomb: A New DoS Threat Another critical fix addresses a publicly disclosed **HTTP/2** denial of service (DoS) flaw, dubbed the '**HTTP/2 Bomb**'. This vulnerability, revealed by researchers at offensive security firm **Calif** (specifically Quang Luong and Codex), leverages uncontrolled resource consumption in **HTTP/2** to allow an unauthorized attacker to deny service over a network. The **HTTP/2 Bomb** attack exploits how the **HTTP/2** protocol compresses and manages web traffic headers. Attackers can send minimal data to force servers to allocate disproportionately large amounts of memory, potentially leading to performance issues or complete outages. To mitigate this, **Microsoft** has introduced a new `MaxHeadersCount` registry setting, which limits the number of headers in an **HTTP/2** or **HTTP/3** request, along with a support bulletin (KB5102602) detailing its implementation. ### BitLocker Bypass: The YellowKey Vulnerability The third zero-day addresses a **Windows BitLocker** bypass flaw, allowing local attackers to gain unauthorized access to encrypted drives. While **Microsoft** attributed this fix to an anonymous researcher, it has been identified as the **YellowKey** vulnerability, publicly disclosed last month by cybersecurity researcher **Nightmare Eclipse**. The **YellowKey** vulnerability could be exploited by placing specially crafted files on a USB drive or EFI partition and booting into the **Windows Recovery Environment (WinRE)**. Holding down the CTRL key during this process could trigger a command shell with unrestricted access to **BitLocker**-protected drives. This flaw primarily impacts systems using **TPM-only BitLocker** protection on **Windows 11** and **Windows Server 2022/2025** devices. **Microsoft** had previously offered temporary mitigations, advising users to enable **TPM+PIN** authentication instead of relying solely on TPM protection. **Nightmare Eclipse** is known for publicly disclosing a series of **Windows** zero-day vulnerabilities, including **BlueHammer**, **MiniPlasma**, **RedSun**, and **UnDefend**. These disclosures are reportedly in protest of **Microsoft**'s handling of its bug bounty and vulnerability disclosure programs. ## Beyond the Zero-Days: Critical Vulnerabilities Beyond the high-profile zero-days, this **Patch Tuesday** includes fixes for numerous other critical vulnerabilities. The 28 remote code execution flaws are particularly concerning, as they could allow attackers to execute arbitrary code on affected systems remotely, often without user interaction. Security professionals are urged to prioritize these updates to prevent potential network compromise. ## Call to Action Given the breadth and severity of the vulnerabilities addressed, IT security professionals and privacy-conscious users are strongly advised to apply these **June 2026 Patch Tuesday** updates immediately. Timely patching remains the most effective defense against exploitation by threat actors.