BLOG | THREAT INTEL

Patch Tuesday: June 2026 (Expel’s version)

Subscribe

By Ben Nahorney, Matt Jastram

June 11, 2026  •  4 minute read



Placeholder image for Patch Tuesday: June 2026 (Expel’s version)

TL;DR

  • This month’s Patch Tuesday release includes 204 CVEs, with three publicly disclosed zero-day vulnerabilities.
  • Prioritize patching CVE-2026-49160 (HTTP.sys DoS), CVE-2026-42985 (Remote Desktop Client RCE), CVE-2026-47291 (HTTP.sys RCE), and CVE-2026-45586 (CTFMON EoP) from this month’s release.
  • A cluster of Linux page cache vulnerabilities—including Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300)—affect virtually all Linux systems from the past eight years and are actively being exploited in the wild.
  • In a recent incident, our SOC observed attackers leverage Copy Fail to gain root-level access to Linux EC2 hosts by corrupting the in-memory version of the /usr/bin/su binary.

 

It’s finally June, and with it comes the beginning of summer—the time of year that those orange cones come out and the roads get torn up. Potholes get patched, lanes get repaved, and the main road for one of our authors is going to be closed for two months, meaning he’ll have to drive way out of town to go anywhere! But he’s not bitter about it—the roads that don’t get patched up tend to get worse. Security teams know the feeling. It’s Patch Tuesday.

 

Patch Tuesday: June 9, 2026

This month’s release includes 204 CVEs, including fixes for three publicly disclosed zero-day vulnerabilities. Here are the CVEs we think are deserving of your attention first: 

  • HTTP.sys Denial of Service Vulnerability (CVE-2026-49160): Nicknamed “HTTP/2 Bomb” by the researchers that discovered it, this zero-day is a Denial of Service (DoS) vulnerability with publicly available proof-of-concept (PoC) code. An attacker wielding this exploit can potentially knock a vulnerable server offline in seconds by sending a specially crafted HTTP/2 request. 
  • Remote Desktop Client Remote Code Execution Vulnerability (CVE-20206-42985): This is a heap-based buffer overflow in Remote Desktop Client. To exploit it, an attacker needs to socially engineer a target into connecting to an attacker-controlled server using a vulnerable version of Remote Desktop Client. The remote server triggers the buffer overflow, after which they can execute arbitrary code on the target’s system.  
  • Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability (CVE-2026-45586): This is a zero-day vulnerability in CTFMON, the Windows process that supports voice and handwriting recognition. A successful exploit of this vulnerability can grant an attacker SYSTEM privileges on an impacted system. Interestingly, the researcher who disclosed the vulnerability did not provide the full PoC in the disclosure. However, a capable attacker could likely bridge the gap, making this worth prioritizing. 
  • Windows BitLocker Security Feature Bypass Vulnerability (CVE-2026-50507): This is a zero-day BitLocker bypass vulnerability that could allow an attacker with physical access to get around device encryption and access protected data. While there is no remote component involved, this vulnerability is still worth flagging, particularly since most organizations use laptops or other devices that could be stolen and the data could be accessed using this vulnerability.
  • HTTP.sys Remote Code Execution Vulnerability (CVE-2026-47291): An integer overflow in the Windows HTTP Protocol Stack (http.sys) could let in an unauthenticated remote attacker who sends a specially crafted network packet, to execute arbitrary code. Interestingly, systems using the default MaxRequestBytes registry value of 16,384 bytes are not affected. So if the MaxRequestBytes has been modified, this CVE immediately jumps in urgency.

 

Exploit tales: Linux page cache vulnerabilities

This month we’re spotlighting the recent headline-grabbing Linux vulnerability CVE-2026-31431, better known as “Copy Fail.” This is a vulnerability where an unprivileged local user can write into any file stored in the Linux kernel’s page cache—without touching the file on disk—and then use what they wrote to the file to elevate their privileges to root. This affects virtually all Linux systems from the last eight years. 

A PoC exploit available on the disclosure site allows for root-level access to vulnerable machines by corrupting the in-memory version of the /usr/bin/su file, modifying the binary in such a way that a password check to use su is no longer needed. This means the attacker could use su as any local user, giving them an unauthenticated root shell to carry out arbitrary commands.

Page cache vulnerabilities are not new, but unlike similar attacks that came before it, Copy Fail works without requiring timing tricks or complicated setup conditions. This separates it from previous vulnerabilities that corrupt data in the page cache, such as Dirty Cow (CVE-2016-5195), which required a race condition, and Dirty Pipe (CVE-2022-0847), which required hitting specific buffer conditions.

As is common with critical vulnerabilities, the disclosure of Copy Fail brought additional scrutiny to the page cache resulting in the identification of additional vulnerabilities: Dirty Frag (CVE-2026-43284 and CVE-2026-43500) and Fragnesia (CVE-2026-46300). These additional vulnerabilities manipulate the Linux page cache in a similar fashion to Copy Fail to achieve the same privilege escalation outcome.

There have been several reported cases of Copy Fail and its cousins being leveraged by attackers in the last month. CISA has reported that bad actors have been exploiting the vulnerability in the wild and have added it to the Known Exploit Vulnerabilities (KEV) catalog. There have also been several reports of bad actors pulling the PoC code directly from the copy.fail disclosure site.

Additionally Microsoft has reported that they have seen Dirty Frag used in attacks in the wild as well. In this case attackers targeted vulnerable systems running an open source service management tool called GLPI. Having established initial access, the bad actors triggered the Dirty Frag exploit to gain root access. They then modified a GLPI LDAP authentication file, reviewed the GLPI directories and configuration, and then accessed sensitive data and active PHP sessions.

The best way to deal with Copy Fail and other page cache Linux exploits is to patch any vulnerable Linux systems, as fixes are available for most affected distributions. 

That’s all we have for this month’s Patch Tuesday blog. If you have questions about the vulnerabilities discussed here, drop us a line.

 

 

Tags

vulnerability prioritization

Blog home