Microsoft June 2026 Patch Tuesday: 198 CVEs and Six Zero-Days Including Wormable CVSS 9.8 HTTP.sys Flaw

Microsoft’s June 2026 Patch Tuesday is the largest security update of the year so far, addressing 198 vulnerabilities across Windows, Windows Server, Office, Azure, Hyper-V, and supporting components. The update includes six publicly disclosed zero-days — three of which carry CVSS 9.8 critical ratings — and a wormable remote code execution vulnerability in HTTP.sys that security researchers are describing as one of the most dangerous Windows Server flaws in recent memory.

Six Zero-Days at a Glance

CVE-2026-47291: The Wormable HTTP.sys Flaw

CVE-2026-47291 is the highest-priority vulnerability in the June update. HTTP.sys is the kernel-mode HTTP request processing driver used by IIS, Windows Remote Management, and any application using the Windows HTTP Server API. The flaw is an integer overflow in HTTP/2 protocol handling that allows an unauthenticated remote attacker to execute arbitrary code at SYSTEM privilege.

Wormable means no user interaction and no authentication are required. An attacker can craft a malicious HTTP/2 request and send it directly to any listening HTTP.sys endpoint. The vulnerability affects all Windows Server versions from 2008 R2 through 2025 that have HTTP services listening on any interface. IIS is enabled by default on Windows Server in several deployment configurations — including web servers, SharePoint, Exchange, and WSUS servers.

Security researchers at Tenable have classified CVE-2026-47291 alongside MS17-010 (EternalBlue) and CVE-2021-26855 (ProxyLogon) as a vulnerability where the network path to exploitation is direct and the consequence is complete host compromise. CISA is expected to add this to the KEV catalogue within 24 hours of disclosure.

Mitigation while patching: If HTTP.sys cannot be immediately patched, disabling HTTP/2 in IIS is a partial mitigation. For IIS:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" -Name "EnableHttp2Tls" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" -Name "EnableHttp2Cleartext" -Value 0
Restart-Service W3SVC

Note: Disabling HTTP/2 affects performance for modern clients but does not interrupt HTTP/1.1 connectivity.

CVE-2026-45657: Windows Kernel Use-After-Free RCE

CVE-2026-45657 is a use-after-free in the Windows kernel that has been actively exploited prior to the patch. Microsoft’s advisory classifies it as publicly disclosed and exploited in the wild. Exploitation grants SYSTEM-level code execution — complete compromise of the affected machine.

The vulnerability requires no authentication and no user interaction when accessible via the network vector, though Microsoft’s advisory suggests local exploitation paths also exist. Given the active exploitation confirmation, this should be treated with the same urgency as CVE-2026-47291 for any internet-facing or internally exposed Windows system.

CVE-2026-44815: Windows DHCP Client Rogue-Server RCE

CVE-2026-44815 is a stack buffer overflow in the Windows DHCP client service. An attacker with access to the same network segment can operate a rogue DHCP server to exploit this vulnerability and achieve SYSTEM-level code execution on any Windows client or server that performs DHCP discovery on that segment.

This vulnerability is particularly significant for enterprise environments where DHCP is broadcast-accessible across VLANs or where DHCP Guard is not enforced on all switched ports. Wired workstations, laptops connecting to meeting room ports, and IoT devices on unguarded segments are all in scope.

Supporting Zero-Days

CVE-2026-49160 (HTTP.sys DoS): A companion flaw to CVE-2026-47291 in HTTP/2 handling, this vulnerability allows an unauthenticated remote attacker to crash the HTTP.sys service via a malformed request — effectively taking any IIS or HTTP API server offline. The “HTTP Bomb” nickname references its ability to crash systems with minimal request volume.

CVE-2026-45586 (“GreenPlasma”, CTFMON EoP): A local privilege escalation in the Windows Text Services Framework (CTFMON). An authenticated local user can elevate to SYSTEM. Active in post-exploitation toolkits where attackers already have user-level access and need to escalate.

CVE-2026-50507 (“YellowKey”, BitLocker SFB): A security feature bypass that allows an attacker with physical access to a device to bypass BitLocker pre-boot authentication. Requires physical access — the primary scenario is targeted theft of executive laptops or servers in co-location facilities.

Additional Critical CVEs

Beyond the zero-days, the June update patches several CVSS 9.0+ critical flaws including:

• CVE-2026-47288: Windows Kerberos KDC remote code execution (see dedicated article) — critical risk for domain controllers
• CVE-2026-44963: Veeam Backup & Replication RCE (separate advisory; see dedicated article)
• Multiple Azure and Hyper-V flaws in the CVSS 8.x range affecting cloud and virtualisation infrastructure

Recommended Prioritisation

For enterprise patch management teams, the June 2026 update warrants emergency-tier response for the following:

1. Immediately (within 24 hours if possible): CVE-2026-47291 (HTTP.sys wormable RCE) on all Windows Server systems with IIS, WRM, or any HTTP API service
2. Emergency tier (within 72 hours): CVE-2026-45657 (Windows Kernel RCE, actively exploited), CVE-2026-47288 (Kerberos KDC RCE on domain controllers)
3. High priority (within standard patch cycle, compress timeline): CVE-2026-44815 (DHCP Client RCE), CVE-2026-44963 (Veeam RCE)
4. Standard cycle: Remaining 193 vulnerabilities per normal vulnerability management priority scoring

The June 2026 Patch Tuesday represents the most critical single patch event of 2026 so far. All three CVSS 9.8 flaws are publicly known before this update, meaning attackers have had — or will have — exploit code. Response timelines must be compressed accordingly.