Microsoft June 2026 Patch Tuesday Addresses 204 Vulnerabilities, Highlights AI's Role in Discovery
Microsoft's June 2026 Patch Tuesday fixes 204 vulnerabilities, including 38 critical flaws and three previously disclosed issues, with a notable increase in Chromium/Edge vulnerabilities attributed to AI-assisted discovery.
Microsoft's June 2026 Patch Tuesday has arrived with a substantial update, patching a total of 204 vulnerabilities across its product lines. Of these, 38 are classified as critical, and three had already been publicly disclosed prior to this release. Six of the vulnerabilities affect Microsoft cloud solutions and do not require direct user intervention, while a significant number, 360, target the Chromium engine powering the Edge browser.
The sheer volume of patched Chromium/Edge vulnerabilities is a key takeaway from this month's update, with Microsoft explicitly noting the impact of AI tools in their discovery. This trend suggests a growing reliance on artificial intelligence for identifying security weaknesses, potentially accelerating both vulnerability discovery and exploitation.
Among the most notable fixes is CVE-2026-49160, which addresses a "compression bomb" vulnerability in the HPACK compression algorithm used by HTTP/2 and HTTP/3. This flaw could lead to excessive resource consumption. Microsoft has implemented a "MaxHeadersCount" registry setting to mitigate this issue.
Another critical vulnerability, CVE-2026-47291, affects the http.sys web server engine and allows for remote code execution. Exploitation requires an oversized request to trigger an integer overflow. Until patches can be applied, Microsoft recommends restricting the "MaxRequestBytes" setting to prevent exploitation.
Active Directory Domain Services is also affected by CVE-2026-45648, a stack-based buffer overflow. While requiring authentication for exploitation, Microsoft assesses the likelihood of exploit development as low.
Additionally, three distinct BitLocker security feature bypass vulnerabilities have been patched, with one having been publicly known. Researchers speculate this may be related to the "Nightmare Eclipse" vulnerabilities.
The update also includes numerous patches for Microsoft Office, Outlook, and Word, addressing critical and important vulnerabilities related to information disclosure, remote code execution, and elevation of privilege. Several Azure services, including Azure HorizonDB, Azure Kubernetes Service, and Azure Stack Edge, also received critical patches for remote code execution and elevation of privilege vulnerabilities.
This Patch Tuesday marks a significant release, not only in the number of vulnerabilities addressed but also in the insights it provides into the evolving landscape of vulnerability discovery, particularly the increasing role of AI. Organizations are urged to prioritize the application of these patches to safeguard their systems against the newly fixed security flaws.
This latest report from CyberScoop details a record-breaking 206 vulnerabilities addressed in Microsoft's June Patch Tuesday, surpassing the 204 mentioned previously. Notably, it highlights CVE-2026-41091, an actively exploited zero-day in Microsoft Defender, and CVE-2026-48567, a maximum severity flaw in Azure HorizonDB, adding specific critical details to the overall trend.