Microsoft has rolled out its largest Patch Tuesday update to date, addressing a record 206 security vulnerabilities across its software ecosystem. The update includes three publicly disclosed zero-day vulnerabilities and dozens of critical flaws that could allow attackers to gain unauthorized access, execute malicious code, or bypass security protections.
Breakdown of the June 2026 Security Update
Among the 206 vulnerabilities fixed this month:
- 39 vulnerabilities are rated Critical
- 167 vulnerabilities are rated Important
The affected flaws span multiple categories, including:
- 63 Privilege Escalation vulnerabilities
- 56 Remote Code Execution (RCE) vulnerabilities
- 30 Information Disclosure vulnerabilities
- 27 Spoofing vulnerabilities
- 20 Security Feature Bypass vulnerabilities
- 7 Denial-of-Service (DoS) vulnerabilities
- 3 Tampering vulnerabilities
Microsoft also addressed two externally assigned CVEs affecting the Windows Kernel and UEFI Secure Boot. In addition, the company incorporated fixes for more than 350 Chromium vulnerabilities, impacting users of Microsoft Edge.
Critical Windows Kernel Vulnerability Leads the List
One of the most severe flaws addressed is CVE-2026-45657, a Windows Kernel use-after-free vulnerability with a CVSS score of 9.8.
Security researchers warn that attackers could exploit the flaw by sending specially crafted network traffic to vulnerable Windows systems. Successful exploitation may allow remote code execution with SYSTEM-level privileges without requiring authentication or user interaction.
Because the attack can be performed remotely and requires no user action, organizations should prioritize patching affected systems immediately.
Additional High-Risk Vulnerabilities
CVE-2026-47291 – Windows HTTP.sys Remote Code Execution
This critical vulnerability involves an integer overflow issue within Windows HTTP.sys. Attackers can exploit the flaw remotely to execute arbitrary code on affected systems.
CVE-2026-44815 – Windows DHCP Client Buffer Overflow
Another critical vulnerability, CVE-2026-44815, affects the Windows DHCP Client service and carries a CVSS score of 9.8.
Security experts note that no credentials or user interaction are required for exploitation. Attackers can send specially crafted DHCP network traffic to compromise systems, potentially leading to:
- Full system takeover
- Malware deployment
- Data theft
- Service disruptions
- Lateral movement within enterprise networks
Since DHCP is a core networking function, organizations are advised to treat this vulnerability as a high-priority patching target.
BitLocker Security Bypass Vulnerabilities Patched
Microsoft also fixed CVE-2026-45585, a Windows BitLocker security feature bypass vulnerability. The issue gained attention after a proof-of-concept exploit known as YellowKey was publicly released by security researcher Chaotic Eclipse.
Several additional BitLocker-related security bypass flaws were patched, including:
- CVE-2026-45655
- CVE-2026-45658
- CVE-2026-50507
If exploited, these vulnerabilities could allow attackers with physical access to bypass device encryption protections and access sensitive data stored on encrypted drives.
Researchers believe CVE-2026-50507 addresses another BitLocker bypass technique known as Bitskrieg, which reportedly enables complete access to encrypted data.
Publicly Disclosed Zero-Day Vulnerabilities
Three vulnerabilities addressed in this update were publicly disclosed before patches became available:
CVE-2026-50507
BitLocker security feature bypass vulnerability.
CVE-2026-45586
Windows Collaborative Translation Framework (CTFMON) privilege escalation vulnerability.
CVE-2026-49160
HTTP.sys denial-of-service vulnerability.
The HTTP.sys flaw is associated with an attack technique called HTTP2/Bomb, capable of overwhelming web servers and causing service outages within seconds.
Testing demonstrated that an IIS server could consume 64 GB of RAM in under a minute when targeted by the attack.
To mitigate the issue, Microsoft introduced a new registry setting called MaxHeadersCount, allowing administrators to limit the number of HTTP/2 and HTTP/3 request headers processed by servers.
MiniPlasma and GreenPlasma Vulnerabilities Addressed
The June 2026 update also includes fixes for vulnerabilities publicly disclosed by researcher Chaotic Eclipse:
GreenPlasma
Researchers believe CVE-2026-45586 addresses the GreenPlasma privilege escalation exploit, which could grant attackers elevated access on Windows systems.
MiniPlasma
Microsoft confirmed that the latest updates fully address vulnerabilities associated with MiniPlasma, which was identified as an incomplete fix for CVE-2020-17103, originally patched in 2020.
Organizations are encouraged to install the June 2026 updates to ensure complete protection.
AI Driving Rapid Growth in Vulnerability Discovery
Cybersecurity experts believe the unprecedented number of vulnerabilities patched by Microsoft is largely driven by advancements in artificial intelligence-powered security research.
AI-assisted vulnerability discovery tools are enabling researchers to identify software flaws at a much faster pace than traditional methods.
According to industry analysts, the total number of Microsoft vulnerabilities disclosed in 2026 has already surpassed the number reported during the entire year of 2018.
While AI is helping uncover security weaknesses more efficiently, experts warn that software vendors will face increasing pressure to maintain patch quality and response speed as vulnerability disclosures continue to rise.
New Microsoft Defender Zero-Day Emerges
Adding to the growing list of concerns, researcher Chaotic Eclipse recently released a proof-of-concept exploit for a newly discovered Microsoft Defender zero-day called RoguePlanet.
The vulnerability is described as a race-condition flaw that could allow attackers to launch a Windows command prompt with SYSTEM-level privileges, potentially providing complete control over affected machines.
As security researchers continue to uncover new attack vectors, organizations should ensure timely deployment of Microsoft’s latest security updates and maintain proactive vulnerability management practices.
Final Thoughts
Microsoft’s June 2026 Patch Tuesday marks a historic milestone with 206 vulnerabilities fixed in a single release. The update includes multiple critical remote code execution flaws, publicly disclosed zero-days, BitLocker bypass vulnerabilities, and important mitigations for emerging attack techniques.
Organizations and IT administrators should prioritize patch deployment, especially for internet-facing systems, DHCP infrastructure, HTTP services, and devices relying on BitLocker encryption, to minimize exposure to active and future threats.
