“Microsoft today released software updates to plug nearly 200 security holes,” the company said — a record number for a single Patch Tuesday and a package heavy with critical fixes, public exploit code, and signs that this scale of vulnerability disclosure may be the new normal.
The scale: nearly 200 fixes, nearly three dozen critical
Microsoft’s June 2026 update cycle addressed almost 200 security flaws across Windows and supported software, including “nearly three dozen” that Microsoft rated as critical. Security researchers flagged that at least three of the patched weaknesses already had exploit code publicly available when the updates shipped.
Experts tracked the change in discovery dynamics. Satnam Narang, senior staff research engineer at Tenable, told reporters that both Microsoft engineers and the security community are increasingly using artificial intelligence to find bugs: “Some surveys put AI usage among security professionals generally at 90%, so it’s unsurprising that this volume of patches may be the norm,” Narang said. “Pandora’s proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday.”
Two zero-days called out: CVE-2026-49160 and CVE-2026-50507
June’s batch included multiple zero-day fixes. CVE-2026-49160 is a denial-of-service vulnerability that affects a range of web servers, including Microsoft Internet Information Services (IIS); Microsoft says the flaw “was reported by OpenAI’s Codex.” Another zero-day this month patched an elevation-of-privilege bug in BitLocker, listed as CVE-2026-50507. That fix follows a recent exploit disclosure known as “YellowKey,” which Nightmare Eclipse released last month and which allowed an attacker with physical access to view encrypted data.
Microsoft’s advisories for CVE-2026-49160 and CVE-2026-50507 do not credit any individual researchers in the acknowledgement section, stating only that “Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.”
Nightmare Eclipse: public exploit drops, claims, and a July 14 pledge
The June cycle intersected with a highly visible string of public exploit posts by a researcher who uses the handle Nightmare Eclipse. The researcher has been releasing exploits for various Windows flaws; a recent post included an exploit called “GreenPlasma,” which leverages an elevation-of-privilege weakness in the Windows Collaborative Translation Framework — the same framework Microsoft patched this month as CVE-2026-45586.
Nightmare Eclipse claims to be a former Microsoft employee, a claim Microsoft “has not responded to questions about.” Rapid7 noted that a recent blog post by Nightmare Eclipse included an image of Albert Vesker, a character from the Resident Evil video game series, referenced by the researcher’s post. The researcher pledged a “bone shattering” drop planned for July 14 — coincidentally the next Patch Tuesday — and immediately after Microsoft released June’s patches published an exploit they said targeted a zero-day in Windows Defender.
Microsoft endured social-media blowback last month after saying in a blog post it was considering taking legal action against the researcher. The company later clarified on Twitter/X that it “has no intention of pursuing legal actions against researchers,” but that it would report researchers “to authorities if they break the law.”
Visual Studio Code zero-day, Shai‑Hulud infections, and outsized updates from Adobe and Google
Microsoft also patched a Visual Studio Code zero-day that allows attackers to steal GitHub tokens with a single click. The company had pushed a stopgap fix on June 3 after a researcher published exploit instructions and declined to work with Microsoft, citing a recent experience where Redmond “silently patched a flaw they reported without offering credit or recognition,” the researcher said.
Internally, Microsoft wrestled last week with at least 72 public code repositories infected with a variant of the Shai‑Hulud worm. Researchers found that all affected packages were connected to Microsoft’s official Azure Durable Task SDK, which itself was hit by the same worm in May.
The heavy June update posture extended beyond Microsoft. Adobe released updates to fix a large number of critical vulnerabilities across products such as Adobe Experience Manager, Acrobat Reader and ColdFusion. Google resolved 429 vulnerabilities in its Chrome browser on June 3; Rapid7’s Adam Barnett noted that “so far this month, Microsoft has provided patches to address 360 browser vulnerabilities,” and added that Microsoft’s Patch Tuesday totals do not include browser flaws. Barnett wrote that the “vast, and presumably sustained, uptick in the number of browser vulnerabilities has led to Microsoft no longer enumerating Chromium CVEs in the Security Update Guide.”
How technologists, enterprise security teams, and end users are likely to respond
- Technologists and security teams: With multiple zero-days and at least three publicly available exploits in circulation, teams will need to prioritize patching of the specific CVEs named in this cycle (including CVE-2026-49160, CVE-2026-50507, and CVE-2026-45586), monitor for additional public exploit disclosures, and track the promised July 14 drop by Nightmare Eclipse.
- Enterprise procurement and supply‑chain teams: The Shai‑Hulud infections tied to the Azure Durable Task SDK underline risks in code‑repository supply chains; organizations that consume affected packages will have to inventory dependencies and validate upstream fixes.
- End users and administrators: Browser fixes are an outsized part of this month’s work — Google’s June 3 Chrome update addressed 429 vulnerabilities — and Microsoft’s advisories note browser CVEs are counted separately from Patch Tuesday totals. As the original advisory closed, “please consider backing up your data before applying operating system updates.”
June’s Patch Tuesday closed with more questions than usual: whether AI-driven discovery will sustain or accelerate this pace, how vendors will handle researcher relations when exploit code is publicly posted, and whether the July 14 date heralds another disruptive collision of public exploits and coordinated patching. The one concrete datum is the surge itself — nearly 200 fixes and scores of browser and product updates — and the operational load it places on defenders.
