Microsoft on Tuesday released fixes for a record 206 security vulnerabilities impacting its software portfolio, including three flaws that have been publicly disclosed at the time of release.
Scope, severity and categories: 206 CVEs in one month
Of the 206 flaws Microsoft patched, 39 are rated Critical and 167 are rated Important. The vulnerability breakdown includes 63 privilege escalation, 56 remote code execution (RCE), 30 information disclosure, 27 spoofing, 20 security feature bypass, seven denial-of-service, and three tampering vulnerabilities. The update window also included two non-Microsoft CVEs: a Windows Kernel privilege escalation (CVE-2025-10263) and a UEFI Secure Boot security feature bypass (CVE-2026-8863). Microsoft noted these fixes come alongside more than 350 security flaws Google addressed in Chromium, which is used in Microsoft Edge.
CVE-2026-45657 and other high-risk RCEs
Topping the list is CVE-2026-45657 (CVSS score: 9.8), a use-after-free flaw in the Windows Kernel that Microsoft warned “could result in remote code execution.” Microsoft said, “An attacker could exploit this vulnerability by sending specially crafted network traffic to a vulnerable Windows system. If successful, the malicious network packets could trigger a flaw in how the Windows kernel processes certain TCP/IP data, potentially allowing the attacker to run code with system-level privileges without needing to sign in or interact with a user.”
Other high-severity, network-exploitable bugs include CVE-2026-47291 (CVSS 9.8), an integer overflow or wraparound in Windows HTTP.sys, and CVE-2026-44815 (CVSS 9.8), a stack-based buffer overflow in the Windows DHCP Client. Commenting on the DHCP client bug, Alex Vovk, CEO and co-founder of Action1, said: “This flaw needs no credentials or user action and can turn network traffic into a full system compromise.” He added that systems configured for DHCP services can be targeted with “specially crafted network traffic,” and that such systems “should be treated as high-priority patch targets.”
BitLocker bypasses, Chaotic Eclipse disclosures, and public PoCs
Microsoft patched several BitLocker and secure feature bypasses, including CVE-2026-45585 (CVSS 6.8). The company noted a proof-of-concept exploit called YellowKey was released by security researcher Chaotic Eclipse (aka Nightmare-Eclipse) last month. Microsoft said for these issues that “an attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.”
Will Dormann, a security researcher, assessed CVE-2026-50507 as a fix for a BitLocker bypass dubbed bitskrieg that “grants full access to encrypted data.” CVE-2026-50507, along with CVE-2026-49160 and CVE-2026-45586, are listed as publicly disclosed zero-days in the update. CVE-2026-45586 (CVSS 7.8) is a Windows Collaborative Translation Framework (CTFMON) privilege escalation vulnerability suspected to be a fix for a zero-day exploit Chaotic Eclipse released under the name GreenPlasma. Separately, Chaotic Eclipse released a PoC for a Microsoft Defender zero-day called RoguePlanet, described as “a race condition that could be used to spawn a Windows command prompt with SYSTEM privileges.”
HTTP.sys denial-of-service, HTTP2/Bomb testing, and Microsoft mitigation
CVE-2026-49160 (CVSS 7.5) affects HTTP.sys and is tied to the HTTP2/Bomb attack technique that can knock web servers offline in seconds. Tests conducted by Calif showed an IIS server exhausting 64 GB of RAM in about 45 seconds. To mitigate the issue Microsoft introduced a new registry setting, “MaxHeadersCount,” to limit the number of headers in HTTP/2 and HTTP/3 requests. Microsoft said: “Limiting HTTP headers can help protect systems and servers from excessive memory use, high CPU consumption, and denial-of-service attacks.” The company added that enforcing a header limit such as MaxHeadersCount “can help maintain performance and reliability.”
How technologists and security teams, affected enterprises, and end users are responding
- Technologists and security teams: With three publicly disclosed zero-days and multiple network-exploitable RCEs, teams are being pushed to triage and deploy a large volume of patches quickly. Microsoft specifically recommended installing the June 2026 updates to comprehensively address the MiniPlasma issue tied to CVE-2020-17103. Security practitioners will also need to prioritize systems handling DHCP traffic and any systems providing BitLocker-encrypted storage.
- Affected enterprises and procurement leaders: Enterprises running Edge should note Google addressed more than 350 Chromium flaws that land in Microsoft’s browser stack. Organizations that operate IIS or other HTTP/2/3 servers should evaluate applying the new MaxHeadersCount registry limit to prevent HTTP2/Bomb-style exhaustion.
- End users and the general public: For BitLocker-related fixes, Microsoft warned that “an attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data,” a reminder that some attack vectors still depend on physical access even as others are network-exploitable.
The surge in patches this month has been linked to AI-assisted vulnerability discovery. “Pandora's proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday,” said Satnam Narang, senior staff research engineer at Tenable. Dustin Childs, head of threat awareness at TrendAI's Zero Day Initiative (ZDI), described the volume as “a testament to how AI is supercharging flaw discovery at an uncontrollable scale,” and cautioned some testers may “wonder what quality issues may exist” in such a large patch set.
The June 2026 updates bundle urgent fixes and a steady stream of public proofs-of-concept into a single Patch Tuesday — and Microsoft’s recommendation to install these updates for issues such as MiniPlasma is explicit. The pace of AI-aided discovery, public PoC releases by Chaotic Eclipse, and mitigations like MaxHeadersCount together make this release a pivotal moment: defenders must deploy patches and re-evaluate exposure quickly while watching for follow-on exploit activity and additional PoCs.
