June 10, 2026 Vulnerability

Microsoft's Record June 2026 Patch Tuesday: 200+ CVEs, Three Zero-Days, and a Critical HTTP.sys RCE Australian Businesses Must Patch Now

Microsoft released its June 2026 Patch Tuesday security update on 9 June — the largest in the company's history — addressing over 200 vulnerabilities across Windows, Office, Azure, and more. Among the volume are three publicly disclosed zero-day vulnerabilities and a critical remote code execution flaw in HTTP.sys (CVE-2026-47291, CVSS 9.8) that allows unauthenticated attackers to execute arbitrary code on affected Windows servers. Under the ACSC's Essential Eight framework, Australian businesses have 48 hours to apply critical patches — this is one of those weeks where that clock matters.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

A Record-Breaking Security Release: What Microsoft Shipped on 9 June

Microsoft's June 2026 Patch Tuesday security update, released on 9 June, addresses more than 200 vulnerabilities — the highest single-month CVE count in the company's history. Figures from independent analysts range from 198 to 211 CVEs depending on how product-version duplicates are counted, but all sources agree the scope is unprecedented. Among those fixes, 32 to 37 carry a Critical severity rating, and at least three are classified as zero-day vulnerabilities: publicly known before patches were made available.

The update's surface area is unusually wide even by Patch Tuesday standards. It spans Windows desktop and server operating systems, Microsoft Office, SharePoint Server, Exchange Server, Remote Desktop Services, Hyper-V, Active Directory Domain Services, Windows Defender, BitLocker, Visual Studio Code, Microsoft Copilot features, SQL Server, and multiple Azure services. In practical terms, any organisation running a Microsoft-heavy environment will have patching work across several product categories simultaneously.

The sheer volume of this month's release has attracted commentary beyond the usual patch analysis. Dark Reading noted that the acceleration of AI-assisted code generation is being scrutinised as a contributing factor in the growing CVE count. The argument is straightforward: when developers produce more code faster — whether with AI assistance or otherwise — the probability of introducing subtle security flaws scales with volume. Microsoft has not formally attributed the record to any single cause, but the correlation between expanding AI tooling adoption and rising CVE counts is being examined across the industry.

Analysts at Tenable and the Zero Day Initiative (ZDI), both of which publish detailed Patch Tuesday breakdowns, have flagged several vulnerabilities in this release as Exploitation More Likely — meaning active use in attacks is anticipated in the near term rather than being theoretical. The three publicly disclosed zero-days are not confirmed as actively exploited at time of writing, but the most critical non-zero-day vulnerability in the release, CVE-2026-47291, carries that same "Exploitation More Likely" assessment and warrants the fastest possible patching response.

Why This Release Demands Urgent Action from Australian Businesses

For Australian organisations, Patch Tuesday carries regulatory weight beyond vendor guidance. The ACSC's Essential Eight framework — Australia's baseline mitigation model for businesses and government agencies — includes "Patch Operating Systems" as one of its eight core controls. Under Maturity Level 2, critical operating system vulnerabilities must be patched within 48 hours of a patch becoming available. For Maturity Level 1, the window is formally one month, but the ACSC's guidance is clear that vulnerabilities rated Critical and assessed as likely to be exploited should be prioritised regardless of the stated maturity tier.

June 2026 Patch Tuesday includes CVE-2026-47291, a Critical-rated HTTP.sys remote code execution vulnerability with a CVSS score of 9.8 that Microsoft has assessed as "Exploitation More Likely." Under the Essential Eight's patching guidance, that combination — Critical severity plus an elevated exploitation probability — should be treated as equivalent to confirmed active exploitation for the purposes of patching prioritisation.

The broader threat context in Australia reinforces the urgency. The ACSC's Annual Cyber Threat Report for FY2024–25 recorded 138 ransomware incidents handled by the ACSC, with over 84,700 cybercrime reports submitted in the same financial year — an average of one every six minutes. Ransomware groups active in the Australia and New Zealand region — including Qilin, CL0P, and Lynx — together accounted for approximately 70 per cent of recorded ransomware incidents in the region in Q1 2026, according to Cyble's threat intelligence reporting. These groups consistently exploit unpatched systems as their initial foothold.

An unpatched CVE-2026-47291 on an internet-facing Windows server represents exactly the kind of pre-authentication entry point that ransomware affiliates and initial access brokers actively seek. A single crafted network request to an exposed HTTP.sys endpoint — if the server's configuration places it within the vulnerable range — may yield SYSTEM-level code execution. From there, lateral movement to domain controllers, credential extraction, and ransomware deployment follow a well-documented playbook that has been used against Australian targets repeatedly in the past 12 months.

Australia's Cyber Security Act 2024 also introduced mandatory reporting obligations for significant cyber incidents at critical infrastructure entities. Whether or not your organisation falls under those specific provisions, the public disclosure of CVE-2026-47291 creates operational risk that argues for a fast response — and for any business working towards Essential Eight compliance, June 9 started a 48-hour clock.

The Vulnerabilities That Demand Immediate Attention

With over 200 fixes in a single release, not every CVE warrants equal urgency. Four vulnerabilities stand out from June 2026 Patch Tuesday as requiring the closest attention from Australian IT teams.

CVE-2026-47291: HTTP.sys Remote Code Execution (CVSS 9.8 Critical)

HTTP.sys is the kernel-mode driver that underpins Windows' HTTP Protocol Stack. It handles HTTP and HTTPS connections for Internet Information Services (IIS), Windows Communication Foundation (WCF), and numerous built-in Windows services. Because it operates at the kernel level and is routinely exposed on internet-facing servers, a vulnerability here has an unusually large potential blast radius.

CVE-2026-47291 allows a remote, unauthenticated attacker to execute arbitrary code on a target server by sending a specially crafted network packet — no credentials, no user interaction, no local access required. Microsoft's advisory notes that the vulnerability affects systems where the MaxRequestBytes registry value has been raised above the default. The default value — 16,384 bytes (16 KB) — is not in the vulnerable range. However, administrators who have increased this value above 65,534 bytes (approximately 65 KB), commonly done to handle large HTTP request headers for web applications, should treat their systems as potentially exposed until the patch is applied.

Microsoft's own exploitability rating of "More Likely" means its analysts assess that reliable proof-of-concept or weaponised exploit code will emerge in the near term. For organisations running internet-exposed IIS instances, Windows-based API gateways, or any service built on the Windows HTTP Protocol Stack, this is the top patching priority in June 2026.

CVE-2026-49160: HTTP/2 Bomb Denial of Service (CVSS 7.5)

Known informally as the "HTTP/2 Bomb," CVE-2026-49160 abuses HTTP/2's header compression mechanism (HPACK) to cause disproportionate server-side memory allocation. An attacker sends a small, carefully crafted request that forces the server to decompress and process far larger data structures than the request size suggests, exhausting available memory and resulting in a denial-of-service condition. The technique was publicly disclosed by researchers at offensive security firm Calif before Microsoft's patch was available, meaning the methodology is already documented in open research.

While it is not a code execution flaw, a successful denial-of-service against a business's web-facing server could have significant operational consequences — particularly for smaller organisations where the affected server also runs business applications or handles customer transactions.

The Three Publicly Disclosed Zero-Days

CVE-2026-45586 (GreenPlasma): A Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege vulnerability with a CVSS score of 7.8, disclosed by security researcher Nightmare Eclipse. CTFMON manages text input services across Windows applications; a flaw in its link-following logic allows a local attacker to escalate their privileges to SYSTEM level. This requires local or authenticated access to the target — it functions as a post-compromise escalation tool rather than a direct entry point.

CVE-2026-50507 (bitskrieg): A Windows BitLocker Security Feature Bypass disclosed by security expert Jonas Lykkegaard. On systems using TPM-only BitLocker configuration (without a PIN or USB key) running Windows 11 or Windows Server, a crafted USB drive or modified EFI partition can be used to circumvent BitLocker's full-disk encryption and obtain command-shell access. This requires physical access to the device, making it a higher risk for organisations with mobile workers, field equipment, or devices in semi-public locations such as shared offices or co-working spaces.

Neither GreenPlasma nor bitskrieg has been confirmed as actively exploited. The zero-day classification reflects public disclosure before the patch — both are documented in researcher-published writeups that are now publicly available, meaning exploitation capability exists outside of the vendor's control from the moment the patch dropped.

What Australian Businesses Should Do This Week

For most Australian businesses, the immediate response to June 2026 Patch Tuesday comes down to five practical actions.

1. Check your HTTP.sys configuration before applying the patch. For any Windows server running IIS, WCF, or an API endpoint, verify the MaxRequestBytes registry value. The relevant key is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\MaxRequestBytes

If this value is absent (meaning it defaults to 16,384 bytes) or is set to 65,534 bytes or below, the server is not in the vulnerable range for CVE-2026-47291. If the value exceeds 65,534 bytes, apply the temporary mitigation recommended by Microsoft: reduce the value to 65,534 or below and restart the HTTP service. Then apply the full patch as soon as your patching window allows. Do not treat the registry change as a substitute for patching.

2. Apply patches via your existing patch management process. For organisations using Windows Update or Windows Server Update Services (WSUS), the June 9 cumulative update for each Windows version contains all June 2026 security fixes. Microsoft Update Catalog is the alternative for environments where direct internet access from servers is restricted. Patch servers before workstations, prioritise internet-facing systems and web hosts, and confirm domain controllers are explicitly included in the cycle — CVE-2026-47291 affects all supported Windows Server versions.

3. Check for end-of-support Windows Server versions. The June 2026 update covers Windows Server 2016, 2019, 2022, and 2025, as well as Windows 10 and 11 on the desktop side. Any Windows Server installation that has reached end-of-support — including Server 2012 and earlier — will not receive this month's patches. Systems in that state should be isolated from internet-facing network segments as an immediate risk reduction measure, with a formal upgrade plan prioritised.

4. Align patch timing with your Essential Eight obligations. If your organisation is working towards or maintaining an ACSC Essential Eight maturity rating, the 48-hour critical patching window under Maturity Level 2 applies to CVE-2026-47291 given its Critical severity and "Exploitation More Likely" assessment. Document when patches are applied — timestamp records, change management tickets, or WSUS deployment reports all qualify — and retain those records for any future compliance audit or incident response investigation.

5. Address BitLocker and zero-day flaws in the same cycle. CVE-2026-50507 requires physical device access and is therefore a lower operational priority for most office-based environments. However, for organisations with remote workers, travelling staff, or devices that regularly leave secure premises, it should be included in the same patching cycle rather than deferred. The GreenPlasma zero-day (CVE-2026-45586) requires local or authenticated access to exploit — patch it as part of the same update cycle. Neither flaw warrants holding the entire patch deployment, but neither warrants indefinite deferral either.

The ACSC provides detailed Essential Eight patching guidance, including checklists aligned to each maturity level, at cyber.gov.au. For smaller businesses without a formal patch management programme, the ACSC's guidance provides a practical starting point that does not require enterprise tooling.

The Growing Patch Load: What This Trend Means for SMB Security

The record CVE count in June 2026 is not an isolated event. Microsoft has addressed over 1,000 CVEs in the first half of 2026 alone, a pace that continues to accelerate year-on-year. Security analysts at Dark Reading and Computer Weekly have noted a structural shift: the rapid adoption of AI-assisted code generation tools is correlating with a rise in subtle security flaws that traditional code-review processes may not consistently catch at scale.

The argument is not that AI-generated code is inherently worse, but that it is generated faster. When code volume increases without a proportional increase in security review capacity, the total number of vulnerabilities introduced will tend to rise. Subtle logic errors, improper input validation, and unsafe memory handling — the root causes of CVE-2026-47291 and the Netlogon RCE fixed in May (CVE-2026-41089) — are exactly the class of vulnerability that emerges from code paths that were not thoroughly examined. This is not a reason to avoid AI coding tools, but it is a reason to expect Patch Tuesday to remain substantial for the foreseeable future.

For Australian SMBs, the practical implication is that Patch Tuesday is a recurring operational event that requires structured preparation, not an exceptional response each time. Three controls, implemented together, reduce the operational burden significantly:

Asset inventory as a prerequisite. You cannot patch what you do not know exists. A current inventory of all Windows systems — maintained in a simple spreadsheet if a formal configuration management database is out of scope — is the minimum required to respond to a Patch Tuesday event within the Essential Eight's 48-hour window. Unmanaged or shadow IT systems are routinely the initial compromise point in successful attacks precisely because they are not included in the patching cycle.

Vulnerability scanning as a regular practice. Running a scan within 24 hours of a Patch Tuesday release provides a prioritised list of unpatched CVEs across your environment. Microsoft Defender Vulnerability Management is available as part of Microsoft 365 E3 and above for organisations already in the Microsoft ecosystem. Open-source options such as OpenVAS provide similar capability for environments that prefer not to rely on vendor tooling. The goal is to move from "we applied the updates" to "we can verify the updates were applied to every system we have."

Multi-factor authentication as a second line when patching lags. Even when patches cannot be applied immediately — due to testing requirements, third-party application compatibility constraints, or change-management processes — multi-factor authentication limits the damage from credential-based lateral movement after an initial compromise. An attacker who achieves code execution through CVE-2026-47291 still needs to move to other systems to maximise their foothold. MFA at authentication boundaries makes that progression significantly harder and buys time for patching to catch up.

None of these measures replace patching as the primary control, but they reduce the exposure window and limit the consequences of patching delays. For the Australian SMB that runs Windows Server on-premises, relies on IIS or a Windows-based service for customer-facing operations, and has a small IT team, the June 2026 Patch Tuesday is a concrete illustration of why patching discipline sits at the centre of the ACSC's Essential Eight — not as bureaucratic overhead, but as the practical minimum required to maintain a defensible security posture.