Microsoft set a record with its June Patch Tuesday release, addressing 206 CVEs across its products and shipping fixes for them — 38 rated critical and the remainder important.
Record volume, and a trend that was predicted
June’s bulletin surpassed May in both overall volume and critical bugs. Tom Gallagher, VP of engineering at Microsoft Security Response Center, had warned about growing releases: “We expect releases to continue trending larger for some time.” Dustin Childs, Zero Day Initiative’s bug hunter in chief, said he has “been counting CVEs on Patch Tuesday since 2017, and this is by far the largest monthly release in that time.” Childs added the magnitude of the release “does raise concerns” and pointed out that the current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018.
The three publicly known CVEs and how they work
Only three of the 206 fixes were listed as publicly known prior to the release, and none were listed as under active exploitation at publication.
- CVE-2026-49160 (HTTP.sys denial of service). Researcher Quang Luong discovered the issue with an assist from OpenAI’s Codex agent and named the technique “HTTP/2 Bomb.” The exploit abuses the HTTP/2 header compression algorithm by sending thousands of tiny messages that force the server to rapidly allocate memory and crash. Microsoft mitigated the problem by introducing a new MaxHeadersCount registry setting to limit the number of headers in HTTP/2 and HTTP/3 requests.
- CVE-2026-50507 (BitLocker security feature bypass). Microsoft’s advisory describes this as a security feature bypass in Windows BitLocker where an attacker with physical access could bypass the BitLocker Device Encryption feature and gain access to the device’s encrypted data. The advisory further ties the fix to an ongoing exchange with a bug hunter known as Nightmare Eclipse — likely a patch for the previously disclosed YellowKey issue — and notes that Nightmare has published details and, in some cases, proof-of-concept exploit code for six zero-days and promised a “bone shattering” release on June 14.
- CVE-2026-45586 (Windows Collaborative Translation Framework / CTFMON elevation of privilege). An authorized local attacker could abuse the flaw to elevate privileges to SYSTEM and subsequently deploy malware, steal data, or move laterally.
Two 9.8-rated criticals that demand attention
Among the 38 critical flaws, two earned 9.8 CVSS ratings and carry different risk profiles administrators should weigh immediately.
- CVE-2026-45657 (Windows kernel remote code execution). This RCE arises from how the Windows kernel processes certain TCP/IP data. It can be triggered by sending malicious network packets and requires no user interaction. Microsoft rates it “exploitation less likely,” but Dustin Childs warned: “Rest assured that every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit. Test and deploy this patch quickly.”
- CVE-2026-47291 (HTTP.sys remote code execution). Also rated 9.8 and considered “more likely” to be exploited, this flaw affects services that process HTTP traffic. Alex Vovk, CEO and co‑founder of patch-management vendor Action1, told The Register that the vulnerability “creates severe business risk” because exploitation could lead to server takeover, malware deployment, data theft, service disruption, and lateral movement. Microsoft notes that systems using the Windows HTTP stack’s default MaxRequestBytes registry value are not affected and provides detailed registry-editing instructions that can buy administrators time while rolling out the patch.
AI’s role, and unanswered technical questions
The bulletin and related commentary repeatedly raise AI as an explanatory factor without hard attribution. “We have no idea how many of these June bugs were uncovered using AI tools,” the reporting notes. Unlike May’s Patch Tuesday — when Microsoft disclosed that its agentic bug‑hunting system found 16 of 137 vulnerabilities — Redmond did not say whether AI-assisted systems contributed to this month’s findings. Observers in the story ask parallel questions: how many bugs were found by AI, how many patches were generated using AI to assist in coding or testing, and what quality issues might follow from higher-volume, possibly AI‑assisted workflows.
What this means for technologists, sysadmins, and threat actors
- Technologists and security teams: Should accelerate testing and deployment for the most severe fixes — especially CVE-2026-45657 and CVE-2026-47291 — and consider the registry-based mitigations Microsoft published as an interim control.
- Sysadmins and vulnerability management teams: Face a growing operational burden from larger monthly releases; Dustin Childs and others urge rapid patching, and Microsoft’s new registry knobs (MaxHeadersCount, MaxRequestBytes guidance) are practical stopgaps while full deployments proceed.
- Adversaries and bug hunters: The disclosure of high-severity fixes and the presence of publicly known issues (and prior PoCs from Nightmare Eclipse) mean researchers and attackers alike are likely to reverse the patches quickly to probe for exploitability, increasing the urgency of remediation.
Microsoft shipped an unprecedented volume of fixes in June — and while none of the patched bugs are listed as under active attack at present, the mix of high-severity remote code execution flaws, physical‑access BitLocker bypasses, and public disclosures (including a researcher’s AI-assisted find and the threat actor Nightmare Eclipse’s promises) leaves a narrow window for defenders to act. The practical next steps are already in the advisories: apply patches, use the registry mitigations where applicable, and prioritize the 9.8-rated flaws that can be triggered without user interaction. Whether this level of monthly output is “the new normal,” as Dustin Childs and others wonder, will be answered by the months ahead — and by whether Microsoft discloses more about how AI factored in.
Source: The Register — AI is making Patch Tuesday (kinda) fun again
