CVE-2026-47291 — Microsoft June Patch Tuesday: HTTP.sys pre-auth RCE (CVSS 9.8) headlines the largest-ever release (198 CVEs)

Microsoft's June 2026 Patch Tuesday addressed 198 CVEs (32 Critical), the largest in program history (Rapid7, 2026-06-09). The headline is CVE-2026-47291 in HTTP.sys (CWE-190 integer overflow into a CWE-122 heap write): an unauthenticated attacker sends a crafted request to any Windows service built on the HTTP Protocol Stack (IIS, WinRM, WMI-over-HTTP) to achieve RCE, rated "Exploitation More Likely" (Microsoft MSRC, 2026-06-09). Microsoft notes systems at the default MaxRequestBytes of 16384 bytes are not impacted — only deployments that raised it above ~65 KB are exposed, so resetting that registry value is a stopgap. Three publicly-disclosed (not-yet-exploited) zero-days also shipped: CVE-2026-49160 (HTTP.sys HTTP/2 compression-bomb DoS, the IIS analogue of the earlier nginx/Apache CVE-2026-49975, now mitigated with MaxHeadersCount), CVE-2026-50507 (BitLocker physical-access bypass), and CVE-2026-45586 (CTFMON EoP); the release also includes the DHCP Client RCE CVE-2026-44815 (CVSS 9.8, "Less Likely") and VSCode EoP CVE-2026-47281 (CVSS 9.6) (Tenable, 2026-06-09; SANS ISC, 2026-06-09). Prioritise the HTTP.sys patch on any Windows host exposing IIS/WinRM.