HiveForce Labs · Threat Advisory · Vulnerability Report
Microsoft's June 2026 Patch Tuesday addresses 206 vulnerabilities (204 Microsoft + 2 non-Microsoft) including 39 critical and 167 important severity issues. Fifteen CVEs are at risk of active exploitation. The headline flaw is CVE-2026-47291 — an unauthenticated HTTP.sys remote code execution bug with CVSS 9.8 triggerable by a single crafted packet. Three publicly disclosed zero-days are included: an HTTP/2 denial-of-service, a CTFMON privilege escalation matching the public "GreenPlasma" exploit, and a BitLocker bypass matching "YellowKey."
Section 01
Microsoft's June 2026 Patch Tuesday is one of the largest releases of the year, addressing 204 Microsoft vulnerabilities and 2 non-Microsoft CVEs across Windows, Office, SharePoint, Exchange, Azure, Visual Studio Code, and .NET. The 206 total include 39 critical and 167 important severity issues spanning 65 Elevation of Privilege, 55 Remote Code Execution, 30 Information Disclosure, 27 Spoofing, 19 Security Feature Bypass, 7 Denial of Service, and 3 Tampering categories. Notably, 15 CVEs are considered at risk of active exploitation, and functional proof-of-concept code is already publicly available for several issues, underscoring the urgency of immediate patch deployment.
Section 02
CVE-2026-47291 — HTTP.sys RCE (CVSS 9.8, Most Dangerous)
The most dangerous flaw in this release is an integer overflow in the Windows HTTP Protocol Stack (HTTP.sys). An unauthenticated attacker can trigger remote code execution with a single crafted packet, putting every internet-facing service built on HTTP.sys at risk — including IIS. No authentication, no user interaction required. Rated "more likely" to be exploited; treat as emergency-priority for all internet-facing servers.
CVE-2026-49160 — HTTP/2 Bomb DoS (Publicly Disclosed Zero-Day)
The first of three publicly disclosed zero-days, CVE-2026-49160 maps to the "HTTP/2 Bomb" technique: a trivial amount of data forces a server to reserve enormous memory blocks via flow-control manipulation. Testing reportedly drained 64 GB of RAM from an IIS server in ~45 seconds. Microsoft's fix adds a MaxHeadersCount registry setting to cap HTTP/2 and HTTP/3 request headers as an interim mitigation where immediate patching is not possible.
CVE-2026-44803 & CVE-2026-44812 — Win32K GRFX RCE (Critical, "More Likely")
Both flaws stem from an integer overflow in the Windows Win32K GRFX subsystem (graphics). Microsoft rates both "more likely" to be exploited. CVE-2026-42985 completes the graphics/RDP RCE cluster — a network-exploitable heap-based buffer overflow (CWE-122) in the Windows Remote Desktop Client, allowing a malicious RDP server to run code on any victim who connects.
CVE-2026-45586 — CTFMON EoP "GreenPlasma" (Publicly Disclosed Zero-Day)
The second publicly disclosed zero-day escalates privileges in the Windows Collaborative Translation Framework (CTFMON) via link following. It matches the public "GreenPlasma" exploit, which can spawn a SYSTEM shell from a standard user account. Four additional EoP flaws rated "more likely" give attackers with any foothold a clean path to SYSTEM: CVE-2026-42980 (NT OS Kernel), CVE-2026-42986 (Graphics), CVE-2026-42989 (Winlogon), and CVE-2026-42905 (DWM Core Library).
CVE-2026-50507 — BitLocker Bypass "YellowKey" (Publicly Disclosed Zero-Day, CVSS 6.8)
The third publicly disclosed zero-day is a protection-mechanism failure allowing an attacker with physical access to defeat BitLocker using the "YellowKey" exploit — crafted files on USB/EFI media plus the Recovery Environment to open a shell over encrypted drives. Primarily affects TPM-only setups on Windows 11 and Server 2022/2025; TPM+PIN was Microsoft's earlier interim mitigation. CVE-2026-45658 is a second BitLocker bypass in the same release.
SharePoint, NTLM & Exchange Spoofing Cluster
Three spoofing flaws carry elevated risk: CVE-2026-45481 and CVE-2026-47634 in SharePoint Server (both "more likely"), and CVE-2026-50508 in Windows NTLM. These typically enable content forgery, credential relay, or social-engineering attacks. Exchange Server carries additional spoofing, information disclosure, EoP, and one RCE (CVE-2026-45583). As of the release date, none of the three publicly disclosed zero-days are known to be actively exploited.
| CVE ID | Name | Affected Product | Zero-Day | Impact | Patch |
|---|---|---|---|---|---|
| CVE-2026-47291 | HTTP.sys Remote Code Execution (CVSS 9.8 — integer overflow, unauthenticated) | Windows HTTP.sys; Server 2012–2025; Win 10/11 | – | RCE | ✓ |
| CVE-2026-49160 | HTTP.sys DoS — "HTTP/2 Bomb" (publicly disclosed) | Windows 11 23H2, 10 22H2; Server 2016–2025 | ✓ | DoS | ✓ |
| CVE-2026-45586 | CTFMON Elevation of Privilege — "GreenPlasma" (publicly disclosed) | Windows Server 2012–2025; Win 10/11 | ✓ | EoP → SYSTEM | ✓ |
| CVE-2026-50507 | BitLocker Security Feature Bypass — "YellowKey" (publicly disclosed, CVSS 6.8) | Windows Server 2012–2025; Win 10/11 | ✓ | SFB | ✓ |
| CVE-2026-45658 | BitLocker Security Feature Bypass | Windows Server 2012–2025; Win 10/11 | – | SFB | ✓ |
| CVE-2026-42985 | Remote Desktop Client RCE (heap-based buffer overflow, CWE-122) | Windows Server 2012–2022; Win 10/11; Windows App | – | RCE | ✓ |
| CVE-2026-44803 | Windows Graphics Component RCE — Win32K GRFX integer overflow ("more likely") | Windows 10/11; Server 2012–2025; Word/PPT Android | – | RCE | ✓ |
| CVE-2026-44812 | Windows Graphics Component RCE — Win32K GRFX integer overflow ("more likely") | Windows 10/11; Server 2012–2025; PPT/Excel Android | – | RCE | ✓ |
| CVE-2026-42980 | NT OS Kernel Elevation of Privilege ("more likely") | Windows Server 2025; Win 10 1607; Win 11 24H2 | – | EoP → SYSTEM | ✓ |
| CVE-2026-42986 | Microsoft Graphics Component Elevation of Privilege ("more likely") | Windows Server 2012–2025; Win 10/11 | – | EoP | ✓ |
| CVE-2026-42989 | Winlogon Elevation of Privilege ("more likely") | Windows Server 2012–2025; Win 10/11 | – | EoP | ✓ |
| CVE-2026-42905 | Windows DWM Core Library Elevation of Privilege | Windows 10 21H2/22H2; Win 11; Server 2012–2025 | – | EoP | ✓ |
| CVE-2026-45481 | Microsoft SharePoint Server Spoofing ("more likely") | SharePoint Subscription Ed.; 2019; Enterprise 2016 | – | Spoofing | ✓ |
| CVE-2026-47634 | Microsoft SharePoint Server Spoofing ("more likely") | SharePoint Subscription Ed.; 2019 | – | Spoofing | ✓ |
| CVE-2026-50508 | Windows NTLM Spoofing Vulnerability | Windows Server 2012–2022; Win 10/11 | – | Spoofing | ✓ |
Section 03
Apply June 2026 Security Updates Immediately
Deploy the June 9, 2026 Microsoft security updates across all affected Windows clients, servers, Remote Desktop clients, and SharePoint Server instances without delay. These updates remediate all fifteen exploitable vulnerabilities including the three publicly disclosed zero-days and the CVSS 9.8 HTTP.sys RCE flaw. Functional proof-of-concept code is already public for several issues — patching is the single most effective control.
Prioritise Internet-Facing HTTP.sys Systems
Treat servers running IIS or any service built on the Windows HTTP Protocol Stack as top-priority patch targets for CVE-2026-47291 and CVE-2026-49160 — both reachable over the network with no authentication. Where immediate patching is not possible for the HTTP/2 DoS issue, apply the new MaxHeadersCount registry setting to limit headers in HTTP/2 and HTTP/3 requests as an interim mitigation.
Harden BitLocker-Protected Endpoints
For devices relying on TPM-only BitLocker — particularly Windows 11 and Server 2022/2025 — apply fixes for CVE-2026-50507 and CVE-2026-45658, and enable TPM+PIN authentication to raise the bar against physical-access attacks such as the "YellowKey" technique. Enforce boot-environment and recovery-environment controls to prevent untrusted USB or EFI media from subverting encryption.
Constrain Privilege-Escalation Exposure
CVE-2026-42980, CVE-2026-42985, CVE-2026-42986, CVE-2026-42989, CVE-2026-45586, and CVE-2026-42905 all enable an attacker with any foothold to elevate to SYSTEM. Enforce least privilege, restrict local admin rights, and monitor for anomalous process creation, unexpected SYSTEM-level shells, and RDP connections to untrusted servers until patching is complete.
Section 04
CVE-2026-47291 enables unauthenticated remote code execution against any internet-facing HTTP.sys service with a single crafted packet.CVE-2026-44803, CVE-2026-44812) can be triggered via malicious content rendering in client applications.CVE-2026-45595), Bypass UAC: Security feature bypass flaws across Secure Boot, MOTW, and Windows Administrator Protection allow attackers to evade detection controls and bypass trust boundaries.T1543.003) is a persistence/escalation path via multiple kernel-mode driver vulnerabilities.CVE-2026-50508) and BitLocker bypasses (CVE-2026-50507, CVE-2026-45658) expose credential material and encrypted data to attackers with local or network access, enabling credential relay and offline credential harvesting.CVE-2026-42985, CVE-2026-42909, CVE-2026-42913 and others) enable attackers to execute code on victim systems connecting to malicious RDP servers — a classic lateral-movement enabler.CVE-2026-49160 (HTTP/2 Bomb) can exhaust server memory in under 60 seconds. Windows Kerberos DoS (CVE-2026-42903, CVE-2026-42914) and TCP/IP DoS (CVE-2026-42915) provide additional denial-of-service attack paths against authentication and network services.Section 05
