Microsoft fixed 206 security flaws on June 9, in the largest Patch Tuesday in its history. Patch Tuesday is the company's monthly security update, always released on the second Tuesday of the month, and this edition became the biggest since the program began in October 2003. Of the 206 fixes, 32 are rated critical by Microsoft and three are zero-days, meaning vulnerabilities that became public before a fix existed.
None of the three zero-days had been exploited by attackers at the time of release, according to Microsoft itself. What stands out is the volume. Dustin Childs, of Trend Micro's Zero Day Initiative (ZDI), wrote that "the current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018." A CVE is the unique identifier assigned to each vulnerability. Half of the Patch Tuesday releases in the first half of 2026 carried defect counts well into the triple digits.
The three publicly known flaws
The three publicly disclosed vulnerabilities affect core Windows components, and Microsoft rated all three "Exploitation More Likely." CVE-2026-49160 (severity 7.5 on the CVSS scale, from 0 to 10) sits in HTTP.sys, the shared component that serves many Windows web services, and allows a denial-of-service attack, which makes a system unavailable, through a technique called HTTP/2 Bomb, in which a small request forces the server to process a disproportionate amount of data. CVE-2026-45586 (7.8) is in CTFMON, the text-input and language service, and lets a local attacker climb to SYSTEM, the account with full control of the machine. CVE-2026-50507 (6.8) bypasses BitLocker, Windows' full-disk encryption, with physical access to the device; it is the most delicate of the three, because proof-of-concept exploit code is already public.
A maximum-severity flaw and a second hole in the same component
Above the zero-days in severity, Microsoft flagged ten vulnerabilities scoring 9.0 or higher on CVSS, one of them at the absolute maximum: CVE-2026-48567, at 10.0, in Azure HorizonDB, though the company says it requires no customer action. The high-severity list includes remote code execution (RCE, which lets an attacker run commands from afar) in the Windows DHCP client, the kernel, Azure Stack Edge and Visual Studio Code. In HTTP.sys itself, and separate from the zero-day, comes CVE-2026-47291 (9.8), an unauthenticated remote code execution for which Microsoft published the month's only mitigation. Anyone running internet-facing web infrastructure should treat the two HTTP.sys flaws as a single priority block. Across the batch, elevation-of-privilege and remote-code-execution flaws dominate; spoofing rose this month, driven by a cluster of SharePoint Server entries.
Why there are more and more patches
The jump is no accident. Researchers point to the growing role of artificial intelligence in finding vulnerabilities and in helping develop and test the fixes. "It is extraordinary that Microsoft can produce so many patches in a single month, but it does raise concerns," Childs wrote. Satnam Narang, senior staff research engineer at Tenable, went further: "Pandora's proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday." The burden shifts to defenders: with hundreds of fixes a month, deciding what to apply first becomes a problem in itself.
The full list of vulnerabilities is in the Microsoft Security Response Center. For most users, the advice stays simple: open Windows Update and install the updates as soon as they appear, restarting the computer to complete them.
Sources: Microsoft Security Response Center, Zero Day Initiative, CyberScoop, SOCRadar, Malwarebytes Labs.
#StaySafe
🙏🖖
