On June 9, 2026, Microsoft released cumulative security updates addressing approximately 200 vulnerabilities. The release includes three zero-days that were publicly disclosed prior to patching, though none were under active exploitation at the time of release. This month’s cycle is significant in both volume and technical variety: it features an HTTP/2 denial-of-service flaw that abuses HPACK compression, a link-following error in the CTFMON framework that grants SYSTEM privileges, and a physical BitLocker bypass—dubbed "YellowKey"—that exposes encrypted drives to anyone with local access and a USB stick. While exploitation has not been confirmed, public disclosure accelerates the development of functional exploits. Furthermore, researcher Nightmare Eclipse has already demonstrated the ability to force Microsoft’s patching timeline through a disclosure campaign that began in April.
- Vulnerability counts vary by source, ranging from 200 (BleepingComputer) to 204 (SANS ISC), with 33 to 38 classified as Critical. These figures exclude 360 Edge/Chromium flaws and earlier cloud-based patches.
- The three public zero-days—CVE-2026-49160 (HTTP/2 Bomb DoS), CTFMON LPE, and YellowKey BitLocker bypass—were not exploited in the wild as of June 9, 2026.
- Microsoft introduced a registry-based mitigation, MaxHeadersCount, for HTTP/2 and HTTP/3, documented in KB5102602 and released alongside the patches.
- YellowKey was disclosed in May by Nightmare Eclipse and included in the June cycle, marking another round in the ongoing disclosure conflict between the researcher and Microsoft’s bug bounty program.
HTTP/2 Bomb: Weaponizing HPACK Compression for Resource Exhaustion
CVE-2026-49160 exploits the header compression mechanism in HTTP/2 and HTTP/3 to create a "bomb" that exhausts server resources. This is an unauthenticated, remote vector resulting in large-scale denial of service. The National Vulnerability Database assigns this flaw a CVSS score of 7.5 (HIGH) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a low-complexity network attack requiring no user interaction and impacting only availability.
The technical standout of this release is not the patch itself, but the parallel countermeasure. On June 9, 2026, Microsoft published KB5102602, which adds a registry parameter—MaxHeadersCount—to limit the number of headers accepted in HTTP/2 and HTTP/3 requests. This dual-layered defense (binary patch and configuration hardening) suggests the flaw has a vast attack surface and that code corrections alone may not be sufficient to contain immediate operational risks.
CTFMON and YellowKey: Two Vectors, One Physical Denominator
The second zero-day affects the Windows Collaborative Translation Framework (CTFMON) service. Classified as an "Improper link resolution before file access ('link following')" error, it allows an already authenticated attacker to gain SYSTEM-level privileges locally. The researcher who discovered the flaw chose to remain anonymous, a pattern consistent with the uncoordinated disclosure campaign seen in recent months.
The third zero-day, YellowKey, is the physical BitLocker bypass disclosed in May by Nightmare Eclipse. The mechanism requires physical access, a USB/EFI partition, and the Windows Recovery Environment (WinRE); pressing CTRL during boot grants a shell with access to the encrypted drive. BleepingComputer notes that the flaw primarily affects systems using TPM-only protection on Windows 11 and Windows Server 2022/2025. While Microsoft previously issued temporary mitigations, such as adopting TPM+PIN, the June 2026 patch represents the first structural fix in a regular update cycle.
Discrepancies in the Count: Two Perspectives on the Perimeter
The numerical divergence between primary sources is notable. BleepingComputer reports 200 flaws, including 33 Critical: 28 remote code execution, 4 elevation of privilege, and 1 information disclosure. Conversely, SANS ISC counts 204 total vulnerabilities, with 38 classified as Critical. While the sources do not explicitly explain the difference of four total units and five Critical flaws, BleepingComputer clarifies its criteria: it excludes Patch Tuesday fixes released earlier in the month for cloud products (Mariner, Azure HorizonDB, Copilot, Exchange Online, Graph) and the 360 Edge/Chromium vulnerabilities managed by Google. SANS does not specify such granularity, making a more inclusive count likely.
"This is certainly a busier-than-usual patch Tuesday. In particular, the large number of patched Chromium/Edge vulnerabilities underscores the impact of AI tools on vulnerability discovery" — SANS Internet Storm Center
SANS also notes in its summary that six cloud vulnerabilities required no user action, as they were remediated server-side. This data confirms Microsoft's trend of decoupling infrastructure patching from the monthly desktop-server cycle, which complicates efforts to track the effective security perimeter.
The Nightmare Eclipse Context: From BlueHammer to YellowKey
The three June 2026 zero-days are not isolated incidents. Since April 2026, the researcher known as Nightmare Eclipse has sequentially released BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and finally YellowKey. According to BleepingComputer, these disclosures are a protest against "Microsoft’s handling of bug bounty and vulnerability disclosure programs." The first three required out-of-band patches in May, with confirmed active exploitation for at least two—a pace that forced Microsoft to deviate from its regular schedule.
YellowKey marks a shift in dynamics: the flaw was publicly disclosed in May but included in the June cycle without confirmed active exploitation, and it targets a physical rather than remote vector. This de-escalation of immediate risk—from in-the-wild RCE/SYSTEM flaws to a physical bypass requiring local access—could reflect a Microsoft strategy to contain public damage, or a tactical shift by the researcher. The dossier does not clarify the motives behind this transition, nor whether Nightmare Eclipse has further flaws awaiting disclosure.
Recommended Actions
- Apply the June 2026 cumulative updates immediately without waiting for standard testing cycles, as the three zero-days are public and replicable.
- Configure MaxHeadersCount via the registry on servers exposed to HTTP/2 and HTTP/3, following KB5102602, as an additional defensive mitigation for CVE-2026-49160.
- Verify BitLocker configurations on Windows 11 and Server 2022/2025 systems. If TPM-only mode is active, migrate to TPM+PIN as an interim control until the patch application is confirmed.
- Review privilege management policies for the CTFMON service and link resolution processes to limit the local elevation attack surface until patching is verified.
FAQ
YellowKey requires physical access; why is it classified as a critical zero-day?
A physical vector does not automatically reduce operational severity. BitLocker is specifically designed to protect data at rest in scenarios involving device theft or loss. A bypass involving a USB stick and a few keystrokes nullifies this protection for millions of TPM-only endpoints. Furthermore, the public disclosure of the method makes the attack replicable without advanced offensive skills.
Why did Microsoft release MaxHeadersCount in addition to the CVE-2026-49160 patch?
The registry setting allows administrators to intervene immediately on systems where full patching requires longer maintenance windows or where HTTP/2 is exposed across heterogeneous infrastructures. This is a defensive pattern Microsoft has used previously for flaws with broad attack surfaces, though the dossier does not specify exact precedents for this class of vulnerability.
Has Nightmare Eclipse stopped publishing zero-days?
There is no evidence in the current dossier to confirm either a suspension or a continuation of the campaign. YellowKey is the latest documented disclosure, but the researcher has previously demonstrated the capacity to release multiple flaws in sequence. The brief contains no information regarding communications following June 9, 2026.
The June 2026 Patch Tuesday confirms that the friction between coordinated disclosure and public release has altered Microsoft’s response timeline, not just its speed. The three June zero-days were contained without active exploitation, unlike BlueHammer, RedSun, and UnDefend. This may signal a vendor adaptation to reaction times or a more cautious selection by the researcher. What remains constant is the volume—approximately 200 flaws—and the increasing share of vulnerabilities discovered via AI-assisted tools, a trend SANS ISC highlights as a structural factor in the future threat landscape.
Information has been verified against cited sources and is current as of the time of publication.
Sources
- https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2026-patch-tuesday-fixes-3-zero-day-200-flaws/
- https://isc.sans.edu/diary/rss/33064
- https://krebsonsecurity.com/2026/04/patch-tuesday-april-2026-edition/
- https://www.darkreading.com/cyberattacks-data-breaches/windows-zero-day-barrage-continues-after-patch-tuesday
- https://www.darkreading.com/application-security/patch-tuesday-microsoft-zero-day-sight
- https://thecyberexpress.com/cve-2025-48595-android-june-2026/
- https://www.techtimes.com/articles/316957/20260521/microsoft-defender-zero-days-patched-redsun-undefend-exploits-already-used-live-intrusions.htm
- https://nvd.nist.gov/vuln/detail/CVE-2026-33825
- https://nvd.nist.gov/vuln/detail/CVE-2026-41091
- https://nvd.nist.gov/vuln/detail/CVE-2026-45498
- https://support.microsoft.com/en-us/topic/control-the-maximum-number-of-http-2-and-http-3-request-headers-in-windows-clients-and-servers-084da156-7a99-4abf-b759-f973c35eded3
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45491