Microsoft's June Patch Tuesday Hits a Record 206 Fixes, With Three Active Zero-Days and Wormable Kernel Bugs

Microsoft closed out its June 2026 Patch Tuesday with the largest single-month batch it has ever shipped: 206 vulnerabilities, including three that were already public knowledge before the patches landed. For defenders who plan their month around the second Tuesday, this one is a heavy lift, and the people who study these releases think it is the new baseline rather than an outlier.

The breakdown is what you would expect from a portfolio as wide as Windows, but the volume is not. Of the 206 flaws, 39 carry a Critical rating and 167 are Important. By category, that is 63 privilege escalation bugs, 56 remote code execution flaws, 30 information disclosure issues, 27 spoofing vulnerabilities, 20 security feature bypasses, seven denial-of-service conditions, and three tampering problems. Two non-Microsoft CVEs ride along in the update too, a Windows Kernel privilege escalation (CVE-2025-10263) and a UEFI Secure Boot bypass (CVE-2026-8863). That count does not even include the 350-plus Chromium fixes Google pushed, which flow downstream into Edge.

The bugs that should jump your queue

Three remote code execution flaws share a CVSS score of 9.8, and all three matter because they ask almost nothing of the attacker.

The headliner is CVE-2026-45657, a use-after-free in the Windows Kernel reachable over the network. Microsoft describes the attack path plainly: an attacker sends specially crafted network traffic, the kernel mishandles certain TCP/IP data, and code runs at system level. No sign-in, no user interaction. That combination of unauthenticated, network-facing, and system-level is exactly the profile that turns into a worm, and it is the kind of bug you patch before you finish reading the rest of the bulletin.

Close behind are CVE-2026-47291, an integer overflow in HTTP.sys that lets an unauthorized attacker run code over the network, and CVE-2026-44815, a stack-based buffer overflow in the Windows DHCP Client. The DHCP one drew specific concern from Alex Vovk, CEO and co-founder of Action1.

"This flaw needs no credentials or user action and can turn network traffic into a full system compromise," Vovk said. He pointed out that DHCP sits at the core of how networks function, which raises the stakes. "Successful exploitation could lead to server compromise, malware deployment, data theft, service disruption, and movement deeper into the network. Systems handling DHCP traffic should be treated as high-priority patch targets."

The practical takeaway: if you run Windows systems acting as DHCP servers or relays, or anything exposing HTTP.sys to untrusted networks, those move to the front of the line ahead of the broader rollout.

Three zero-days, and a pattern of named PoCs

This month's publicly disclosed zero-days are CVE-2026-50507, CVE-2026-49160, and CVE-2026-45586. None are rated Critical, but public disclosure means the clock was already running before the patch arrived.

CVE-2026-50507 is a BitLocker security feature bypass. According to researcher Will Dormann, it is the fix for a bypass dubbed bitskrieg that grants full access to encrypted data. It is one of several BitLocker bypasses patched this month, alongside CVE-2026-45655, CVE-2026-45658, and CVE-2026-45585, the last of which had a proof-of-concept named YellowKey released by researcher Chaotic Eclipse last month. The common thread across these is physical access: an attacker who can get hands on the device could reach data the encryption was supposed to protect. For most organizations that reframes BitLocker as one layer rather than a guarantee, especially for laptops that leave the building.

CVE-2026-45586 is a Windows Collaborative Translation Framework (CTFMON) privilege escalation flaw, suspected to address a zero-day exploit Chaotic Eclipse published as GreenPlasma. The same researcher also disclosed MiniPlasma, which Microsoft says was an incomplete fix for CVE-2020-17103 from December 2020. Microsoft's guidance is to install the June 2026 updates to fully close that older issue, a reminder that a five-year-old CVE can resurface when someone finds the original patch left a gap.

The third zero-day, CVE-2026-49160, is a denial-of-service bug in HTTP.sys tied to an attack technique called HTTP2/Bomb. This one is worth understanding because the mechanics are vivid. In testing by Calif, an IIS server burned through 64 GB of RAM in roughly 45 seconds. The attack abuses how HTTP/2 and HTTP/3 handle header compression, HPACK for HTTP/2 and QPACK for HTTP/3, where complex protocol processing can be weaponized into runaway memory use.

Microsoft's fix introduces a new MaxHeadersCount registry setting to cap the number of headers in HTTP/2 and HTTP/3 requests. "Limiting HTTP headers can help protect systems and servers from excessive memory use, high CPU consumption, and denial-of-service attacks," the company said. If you operate IIS or other Windows web front ends, patching is step one, but reviewing that header limit is the durable control. The broader HTTP/2 Bomb class has also been reported against NGINX, Apache, Envoy, and Cloudflare, so this is not a Windows-only concern.

Why the numbers keep climbing

The most interesting story in this release is not any single bug. It is why there are so many. Both Microsoft and outside researchers point to AI-assisted vulnerability discovery as the engine behind the record count.

"Pandora's proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday," said Satnam Narang, senior staff research engineer at Tenable.

Dustin Childs, who heads threat awareness at Trend's Zero Day Initiative, put a sharper edge on it. "The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018," he said. "It is extraordinary that Microsoft can produce so many patches in a single month, and I expect many testers are wondering what quality issues may exist."

That last point deserves attention. When discovery accelerates faster than testing, the risk shifts from missing bugs to shipping patches that introduce regressions. For administrators, the lesson is not to slow patching but to keep a tested rollback path and to stage critical systems before a blanket deployment. The volume itself is becoming an operational problem, and the teams that handle it well will be the ones who triage by exposure rather than trying to deploy everything at once.

This is part of a wider shift. Autonomous tooling has been surfacing flaws across the ecosystem, from 21 zero-days reported in FFmpeg to a two-year-old RCE in Redis tracked as CVE-2026-23479. Defenders are now living in a world where both sides have the same accelerant.

What to do this week

If you manage Windows fleets, the priority order is straightforward. Patch the unauthenticated network RCE bugs first: CVE-2026-45657 in the kernel, CVE-2026-47291 in HTTP.sys, and CVE-2026-44815 in the DHCP client. Treat DHCP servers and internet-facing web services as high-value targets. Apply the zero-day fixes next, and for the HTTP/2 Bomb issue, set MaxHeadersCount on your IIS hosts as a lasting mitigation rather than relying on the patch alone. Revisit your assumptions about BitLocker for any device that travels.

One more item landed outside the bulletin: Chaotic Eclipse released a proof-of-concept for a Microsoft Defender zero-day named RoguePlanet, described as a race condition that can spawn a command prompt with SYSTEM privileges. It is not in this month's fixes, so keep an eye on Microsoft's advisories for follow-up guidance. As the monthly counts keep growing, the organizations that fare best will be the ones that build patching around exposure and evidence instead of trying to swallow 200-plus CVEs in a single gulp.