“Every so often, a new round of denial-of-service vulnerabilities emerge which affect web servers implementing HTTP/2 and HTTP/3 standards,” explained Rapid7 principal software engineer, Adam Barnett.
Microsoft’s June Patch Tuesday delivers a heavy payload. The company published updates to fix 200 vulnerabilities, including three publicly disclosed zero-days. Among those 200 fixes are 33 critical CVEs, most of them remote code execution flaws, and a broader mix of elevation-of-privilege, information disclosure, spoofing, and security-feature-bypass issues that put system administrators on alert.
CVE-2026-49160 — the "HTTP/2 Bomb" discovered by AI-powered tools
CVE-2026-49160, nicknamed “HTTP/2 Bomb,” is a denial-of-service vulnerability the source says was discovered by AI-powered research tools. According to the advisory, an attacker using a single home computer could take down web servers in as little as 20 seconds. Rapid7’s Adam Barnett framed the flaw as part of a broader pattern: researchers are now using advances in large language model (LLM) capability to probe not only specific software but the standards on which software rests, and that approach will likely expand this class of HTTP/2/HTTP/3 denial-of-service findings.
CVE-2026-50507 — BitLocker security feature bypass and physical access risk
The second zero-day patched is CVE-2026-50507, described as a Windows BitLocker security feature bypass. Jack Bicer, director of vulnerability research at Action1, warned that an attacker with physical access to a vulnerable system could bypass a key security control and gain access to encrypted data stored on the device. Bicer spelled out the stakes: a successful bypass “can expose confidential business information, customer data, intellectual property, financial records, and regulated data.” He added that in environments where endpoint encryption is a compliance requirement, exploitation could bring regulatory exposure, breach-notification obligations, reputational damage, and financial losses.
CVE-2026-45586 — CTFMON "link following" elevation of privilege
The third publicly disclosed zero-day, CVE-2026-45586, is an elevation-of-privilege (EoP) flaw in the Windows Collaborative Translation Framework (CTFMON) caused by “link following.” Action1 co-founder Alex Vovk warned that a local authenticated attacker could leverage the flaw to gain system privileges. “A low-privilege foothold can become full system control when Windows follows the wrong link at the wrong time,” Vovk said, noting that system access enables malware installation, defense evasion, credential theft, data modification, and deeper movement across an environment. For businesses, he observed, this vulnerability can increase the impact of phishing, stolen credentials, or compromised standard user accounts.
Patch priorities: EoP, RCE, information disclosure, spoofing, security feature bypass
Elevation-of-privilege bugs were the single largest category in this update, accounting for 65 CVEs. Remote code execution vulnerabilities followed with 55, and the next most common classifications were information disclosure (30), spoofing (27), and security feature bypass (19). Administrators are urged by the bulletin to treat certain additional vulnerabilities as high priority. The advisory highlights four examples by CVE identifier and impact:
- CVE-2026-44812 — an RCE flaw in Windows Graphics Component (Win32K-GRFX) that can allow an attacker to execute arbitrary code on a target system
- CVE-2026-42985 — an RCE bug in the Remote Desktop Client which could provide attackers with access to sensitive corporate systems
- CVE-2026-44815 — a critical flaw in the Windows DHCP Client caused by a stack-based buffer overflow, which could turn network traffic into a full system compromise
- CVE-2026-47652 — an RCE vulnerability in Windows Hyper-V which could lead to unauthorized code execution, compromise of sensitive workloads, and disruption of hosted services
What this means for system administrators, compliance officers, and enterprise defenders
- System administrators and security teams: the release consolidates a large set of fixes — 200 CVEs — with three publicly disclosed zero-days. The HTTP/2 Bomb’s short attack window (as little as 20 seconds) and multiple critical RCEs argue for rapid prioritization of web-facing services, Remote Desktop clients, Hyper-V hosts, and graphics and DHCP components.
- Compliance officers and regulators: the BitLocker bypass (CVE-2026-50507) explicitly raises the prospect of regulatory exposure in environments where endpoint encryption is mandatory; organizations that rely on BitLocker for compliance should assess physical access controls and notification obligations tied to any compromise of encrypted data.
- Enterprise defenders and risk owners: the prominence of elevation-of-privilege flaws means that even limited intrusions or credential theft can escalate into full system control—precisely the threat Alex Vovk described—so defenders should be attentive to post-compromise pathways as they deploy these patches.
Microsoft’s patch set this month is both broad and pointed: it addresses 200 distinct vulnerabilities and three zero-days that range from a novel, AI-discovered HTTP/2 denial-of-service to hardware-proximate bypasses of endpoint encryption and link-following privilege escalations. As Rapid7’s Adam Barnett warned, the techniques used to discover CVE-2026-49160 suggest the class of vulnerabilities attacking protocol standards could grow as LLM-based tools probe both software and the standards beneath it. For defenders and decision-makers, the immediate work is clear — prioritize the identified critical and zero-day fixes, and account for the knock-on impact that EoP and bypass vulnerabilities can have on incident scope and compliance exposure.
