Today is Microsoft's June 2026 Patch Tuesday, with security updates for 200 flaws and three publicly disclosed zero-day vulnerabilities.This Patch Tuesday addresses 33 "Critical" vulnerabilities, 28 of which are remote code execution, 4 are elevation of privilege, and 1 is an information disclosure flaw.When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today.Therefore, the number of flaws does not include flaws in Mariner, Azure HorizonDB, Microsoft Copilot, Copilot Chat, M365 Copilot, Microsoft Exchange Online, and Microsoft Graph that were fixed by Microsoft earlier this month.There were also a massive 360 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded from this Patch Tuesday roundup.This month's Patch Tuesday fixes three publicly disclosed zero-day vulnerabilities, none of which are known to have been exploited in attacks.Microsoft classifies a zero-day flaw as publicly disclosed or actively exploited while no official fix is available.Microsoft has patched a publicly disclosed Windows CTFMON vulnerability that grants SYSTEM privileges."Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally," explains Microsoft.Microsoft has credited the flaw to an anonymous researcher, but has not shared any details on how it was disclosed.Microsoft has patched a publicly disclosed HTTP/2 denial of service flaw called "HTTP/2 Bomb" that was disclosed this month by researchers at the offensive security firm Calif."Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network," explains Microsoft.The HTTP/2 Bomb attack is a denial-of-service technique that abuses how the HTTP/2 protocol compresses and manages web traffic headers, allowing attackers to send very small amounts of data that force servers to allocate disproportionately large amounts of memory.Researchers found the attack could dramatically increase memory usage on affected servers. Attackers can also keep the memory tied up by manipulating flow-control settings, preventing the server from freeing resources and potentially causing performance issues or outages.To help mitigate this attack, Microsoft has introduced a new "MaxHeadersCount" registry setting to limit the number of headers in a request, along with a support bulletin on how to use it."Microsoft also introduced a new MaxHeadersCount registry setting. This setting allows you to limit the number of headers included in HTTP/2 and HTTP/3 requests that are accepted by the HTTP server. For more information, see KB5102602," continued Microsoft.This flaw was attributed to Quang Luong and Codex of Calif.io.Microsoft has patched a publicly disclosed Windows BitLocker bypass flaw that allowed local attackers to gain access to an encrypted drive."Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack," explains Microsoft.While Microsoft attributed the flaw to an anonymous researcher, BleepingComputer has learned that this is a fix for the YellowKey vulnerability that was publicly disclosed last month by a cybersecurity researcher named Nightmare Eclipse.The YellowKey vulnerability could be exploited by placing specially crafted files on a USB drive or EFI partition and booting into the Windows Recovery Environment (WinRE), where holding down the CTRL key triggered a command shell with unrestricted access to encrypted BitLocker-protected drives.The flaw primarily affects systems that used TPM-only BitLocker protection on Windows 11 and Windows Server 2022/2025 devices. Microsoft previously shared temporary mitigations for the issue, including enabling TPM+PIN authentication instead of relying solely on TPM protection.Nightmare Eclipse has released a wave of Windows zero-day vulnerabilities, including BlueHammer, MiniPlasma, RedSun, and UnDefend, in protest of Microsoft's handling of its bug bounty and vulnerability disclosure programs.Below is the complete list of resolved vulnerabilities in the May 2026 Patch Tuesday updates, excluding flaws fixed before today.To access the full description of each vulnerability and the systems it affects, you can view the full report here.