CVE-2026-45586
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software. The CCB would like to point your attention to following vulnerabilities: CVE‑2026‑45586 – Windows Collaborative Translation Framework (CTFMON) (Zero-day) High Elevation of Privilege vulnerability A local attacker without any user interaction can exploit this vulnerability to gain SYSTEM privileges by elevating their privileges because of an improper link resolution before file access in CTFMON. CVE‑2026‑49160 – HTTP.sys (Zero-day) Denial of Service vulnerability A remote attacker without any privileges and with no user interaction can exploit this uncontrolled resource consumption in HTTP/2. The attacker can send custom HTTP/2 (or HTTP/3) requests that abuse header compression and excessive headers which forces the HTTP stack to allocate excessive memory/CPU while processing compressed headers (HPACK/QPACK), exhausting resources which causes Denial of Service in the system. CVE‑2026‑50507 – Windows BitLocker (Zero-day) Medium Security Feature Bypass vulnerability (“YellowKey” BitLocker bypass) An unauthorized attacker with physical access can manipulate the local boot or recovery environment to exploit this zero-day vulnerability to bypass BitLocker’s security protections to access encrypted data because of a protection mechanism failure. There is a publicly available Proof-of-Concept and Microsoft estimated that this vulnerability is highly likely to exploited. CVE-2026-45657 – Windows Kernel (RCE) Critical Use After Free vulnerability A remote, unauthenticated attacker without any user interaction can send specially crafted network packets to trigger the Kernel’s TCP/IP/path processing to dereference freed memory by provoking the Use After Free (UAF) race/dangling pointer to overwrite control data which can allow them to execute arbitrary code with SYSTEM privileges. CVE-2026-42985 – Remote Desktop Client (RCE) Heap-based buffer overflow vulnerability If a remote attacker with a role with at least low privileges and without any user interaction exploits this vulnerability, they can corrupt the memory and execute code remotely. They don’t need to have any valid credentials, while endpoints that initiate RDP to untrusted hosts or that accept maliciously relayed RDP traffic are the most vulnerable. Microsoft assesses exploitation to be “more likely” for this vulnerability. CVE-2026-47634 - Microsoft SharePoint Server (XSS) Spoofing, Cross-Site Scripting vulnerability A remote, unauthenticated attacker with low privileges can exploit this Improper Neutralization of Special Elements in Output Used by a Downstream Component vulnerability (XSS – cross-site-scripting) to perform spoofing over a network and affect the Microsoft SharePoint Server. If you have Microsoft Update turned on, there’s no action required about this patch, otherwise you need to install it manually. You must be on the release version of SharePoint Server Subscription Edition to install the update package build 16.0.19725.20384, which also addresses multiple other MS SharePoint vulnerabilities.
Risk Scores
Timeline
- Jun 9, 2026 CVE Published
- Jun 10, 2026 Coalition ESS Score
- Jun 10, 2026 Security Advisory
- Jun 10, 2026 Security Advisory
References
- https://ccb.belgium.be/advisories/warning-microsoft-patch-tuesday-june-2025-patches-206-vulnerabilities-33-critical-173 advisory
- https://msrc.microsoft.com/update-guide/releaseNote/2026-Jun vendor
- https://www.theregister.com/patches/2026/06/09/ai-is-making-patch-tuesday-kinda-fun-again/5253225 technical
- https://windowsreport.com/rogueplanet-zero-day-grants-system-privileges-on-fully-patched-windows-11-systems/ technical
- https://thehackernews.com/2026/06/microsoft-patches-record-206-flaws.html technical
- https://therecord.media/microsoft-ships-largest-patch-tuesday-on-record technical
- https://www.tenable.com/blog/microsofts-june-2026-patch-tuesday-addresses-198-cves-cve-2026-49160-cve-2026-50507 technical
- https://www.zerodayinitiative.com/blog/2026/6/9/the-june-2026-security-update-review technical
- https://cybersecuritynews.com/windows-bitlocker-0-day-bypass-vulnerability/ technical