• Category: Security
  • Status: confirmed
  • Sources: The Hacker News, Zero Day Initiative review
  • Summary: Three of the record 206 CVEs in Microsoft's June 2026 Patch Tuesday were publicly disclosed before release. CVE-2026-49160 (CVSS 7.5) is an http.sys denial of service tied to the HTTP/2 Bomb technique; testers exhausted 64 GB of RAM on an IIS server in about 45 seconds, and Microsoft added a MaxHeadersCount registry setting as mitigation. CVE-2026-45586 (CVSS 7.8) is a privilege escalation in the Collaborative Translation Framework (CTFMON) granting SYSTEM, linked to a researcher exploit named GreenPlasma. CVE-2026-50507 (CVSS 6.8) is a BitLocker security feature bypass ("bitskrieg") that grants access to encrypted data but requires physical access. All three were patched in the June cumulative update.
  • Why it matters: The HTTP/2 Bomb DoS needs no authentication and can take down internet-facing IIS quickly; the CTFMON path gives local SYSTEM, completing the June Patch Tuesday picture alongside the critical RCEs already tracked.

Send feedback on this story