June 2026 Patch Tuesday:
200 flaws, three zero-days and a printing bug

In short: the 9 June 2026 Patch Tuesday is the largest ever: around 200 vulnerabilities fixed, 33 critical, and three publicly known zero-days closed — GreenPlasma, YellowKey (a BitLocker bypass) and HTTP/2 Bomb. Meanwhile, anyone who stopped printing from Windows Server 2022 has a precise culprit: May's KB5087424 hotpatch, which breaks printing from 32-bit applications. Here is what to install, what to verify and what remains exposed.

A record-breaking Patch Tuesday

Never have so many fixes landed on a single Tuesday: around 200 vulnerabilities (specialist media counts range from 198 to 208 depending on what they include), of which 33 are rated critical — 28 of them Remote Code Execution flaws, i.e. exploitable to run code remotely. By category: 65 elevation of privilege, 55 remote code execution, 30 information disclosure, 27 spoofing, 19 security feature bypass and 7 denial of service.

Add to those numbers over 360 fixes for Chromium-based browsers (Microsoft Edge included) released in the same week. For anyone managing a fleet, the message is simple: this is not a month to postpone updates. Among the critical fixes, a Remote Code Execution in Active Directory Domain Services (CVE-2026-45648), one in Microsoft Office (CVE-2026-45463) and two Secure Boot bypasses (CVE-2026-45588 and CVE-2026-45654) stand out. The rollup also closes CVE-2026-42897, the actively exploited Exchange Server vulnerability we covered in May.

The three zero-days closed: GreenPlasma, YellowKey and HTTP/2 Bomb

Three vulnerabilities were already public before the patch — with technical details or proof-of-concept code in circulation. None was known to be actively exploited at release time, but from today every day without the update is a day of exposure:

• GreenPlasma (CVE-2026-45586) — privilege escalation in the Windows Collaborative Translation Framework (the CTFMON component): a local user can obtain a shell with SYSTEM privileges by exploiting improper link resolution. It is part of the series of zero-days disclosed by the researcher known as Nightmare Eclipse.
• BitLocker bypass (CVE-2026-50507, plus YellowKey CVE-2026-45585) — June closes two distinct flaws that bypass BitLocker encryption with physical access: CVE-2026-50507, publicly disclosed before the patch, and CVE-2026-45585 — which Microsoft confirms in its advisory to be the vulnerability behind the YellowKey exploit: crafted files on a USB drive or the EFI partition, a boot into the WinRE recovery environment and, holding CTRL, a command shell with access to encrypted drives. They affect TPM-only configurations on Windows 11 and Windows Server 2022/2025.
• HTTP/2 Bomb (CVE-2026-49160) — denial of service against HTTP.sys, the driver serving web requests in IIS and many Windows services: crafted HTTP/2 requests force the server to allocate disproportionate amounts of memory. Alongside the patch, Microsoft introduces the new MaxHeadersCount registry setting to limit the number of headers accepted in HTTP/2 and HTTP/3 requests.

The lesson of the BitLocker bypasses deserves action even after the patch: on laptops holding sensitive data, the recommended configuration remains TPM + startup PIN. TPM-only protection releases the encryption key without asking anything of whoever powers on the machine — exactly the property that physical attacks like this one exploit.

The Nightmare Eclipse series: what is closed and what remains open

GreenPlasma and YellowKey belong to the series of zero-days disclosed in recent months by the researcher Nightmare Eclipse, without coordination with Microsoft. The tally as of today: RedSun (CVE-2026-41091, the only one in the series known to have been actively exploited in real attacks) and UnDefend (CVE-2026-45498), both in Microsoft Defender, had already been fixed with out-of-band updates in late May and are counted in the June rollup; BlueHammer was closed after active exploitation began; with this Patch Tuesday, GreenPlasma, YellowKey and MiniPlasma leave the stage too.

The series is not over, though: within hours of the patches shipping, the same researcher published a new zero-day, RoguePlanet, a race condition in Microsoft Defender that spawns a shell with SYSTEM privileges on fully updated systems — June patches included — with a proof of concept already confirmed working by independent researchers and no fix available. It is a reminder that patching alone is not enough: when a flaw is public but no patch exists, the practical defences are behavioural detection — an EDR/XDR that flags privilege escalation even without knowing the vulnerability — and the principle of least privilege, which limits what a compromised account can do.

The KB5087424 printing bug on Windows Server 2022

While Microsoft was closing 200 flaws, many administrators were wrestling with a more mundane problem: printing that stops working. The culprit is hotpatch KB5087424 of 12 May 2026 for Windows Server 2022 Datacenter Azure Edition (build 20348.5074): after installation, the splwow64.exe component no longer starts and returns error 0xc0000142 (“the application was unable to start correctly”).

splwow64 is the bridge between 32-bit applications and the 64-bit print system: if it does not start, 32-bit line-of-business applications cannot print — and neither can some 64-bit applications that invoke it, for example Excel instantiated via COM by automated procedures, or environments with the “Isolate print drivers from applications” feature enabled. The case publicly documented by HCL involves a Domino server driving Excel; community reports from system administrators cover remote desktops and session hosts. The typical scenario is a cloud-hosted remote desktop on Azure with hotpatching enabled: the user works in the business application, hits print, and nothing happens.

The delicate point: a month after release, Microsoft has not yet acknowledged the issue among its official known issues. The viable paths documented so far:

• 1Install the June cumulative update. On 9 June, the Windows Server 2022 hotpatch channel received a baseline update: a full cumulative update with reboot that entirely replaces the faulty May hotpatch. It is the first natural recovery window: install it and immediately verify printing from 32-bit applications.
• 2Disable print driver isolation (“Isolate print drivers from applications”), if compatible with your policies: it stops applications from going through splwow64 where not strictly necessary.
• 3As a last resort, uninstall KB5087424 and block its reinstallation, with a reboot: it restores printing, but also removes May's security fixes — to be considered only as a temporary stopgap until the June cumulative update.

There is an architectural lesson too: hotpatching — security updates without reboot, one of the advantages of the Azure Edition — remains an excellent tool, but it must be paired with functional tests after every patch cycle: a quick check of printing, business application access and critical workflows right after installation would have caught the problem on day one, not at the first invoice that needed printing.

What to do this week: a five-point checklist

• 1Deploy the June updates on clients and servers, prioritising internet-facing systems (HTTP/2 Bomb is exploitable remotely without authentication) and domain controllers (for the RCE in Active Directory Domain Services).
• 2Review the BitLocker configuration of your laptops: where TPM-only protection is in place and the data justifies it, enable TPM + startup PIN.
• 3Verify printing after patching on Windows Server 2022 servers with hotpatching: a test from 32-bit applications immediately tells you whether the KB5087424 issue has been resolved by the June cumulative update.
• 4Compensate for RoguePlanet until a patch exists: behavioural detection active on all endpoints and a review of accounts with local administrative privileges.
• 5Check the Secure Boot status of your fleet: the Microsoft certificates from 2011 expire on 24 June (KEK CA) and 27 June (UEFI CA). Devices keep booting, but without the new certificates they stop receiving updates to secure boot components.

How AtWorkStudio helps

For clients with managed infrastructures, the June patch cycle follows our standard process: ring-based deployment, post-update functional tests (printing included) and monitoring. For those who manage independently and want an independent check, a vulnerability assessment captures the real exposure of your fleet, and our cybersecurity services cover what patching alone does not solve.

We have been operating from Piacenza since 2000. We hold ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications, are qualified by the ACN (Italian National Cybersecurity Agency) for cloud services, members of Clusit (Italian Association for Information Security) and affiliated with Confindustria Piacenza in the RICT cluster.