Microsoft's June 2026 Patch Tuesday Shatters Records with 200 Vulnerabilities, Including Three Exploited Zero-Days
Microsoft's June 2026 Patch Tuesday addresses a record 200 vulnerabilities, with nearly three dozen critical flaws and three zero-days actively exploited in the wild.
Microsoft has rolled out its June 2026 Patch Tuesday updates, fixing a staggering 200 security vulnerabilities across its product lines, setting a new record for the monthly patch cycle. Among these fixes, nearly three dozen vulnerabilities were classified as 'critical,' indicating a high potential for severe impact. Adding to the urgency, exploit code for at least three of these flaws is already publicly available, with active exploitation observed.
This surge in vulnerability disclosures and patches is partly attributed to the increasing use of artificial intelligence (AI) tools in bug discovery. Microsoft itself noted in a prior blog post that both its internal security teams and the broader security community are leveraging AI more extensively, suggesting that this high volume of patches may become the new norm. Experts like Satnam Narang, senior staff research engineer at Tenable, concur, stating that with AI usage among security professionals reportedly reaching 90%, such patch volumes are unsurprising and likely to continue increasing.
Among the critical zero-day vulnerabilities addressed is CVE-2026-49160, a denial-of-service (DoS) flaw affecting Microsoft Internet Information Services (IIS) and other web servers. Notably, Microsoft credits OpenAI's Codex with reporting this specific vulnerability. Another significant disclosure involves two zero-days reportedly linked to the security researcher known as 'Nightmare Eclipse.' This researcher has been actively releasing exploits for various Windows flaws, with one exploit dubbed 'GreenPlasma' targeting an elevation of privilege vulnerability in the Windows Collaborative Translation Framework (CVE-2026-45586).
Nightmare Eclipse also previously released 'YellowKey,' an exploit for a Windows BitLocker vulnerability that could allow an attacker with physical access to view encrypted data. The June Patch Tuesday addresses CVE-2026-50507, an elevation of privilege bug within BitLocker, which is believed to be related to this exploit. Microsoft faced social media backlash last month for suggesting legal action against researchers, later clarifying its stance to report only those who break the law. The advisories for CVE-2026-49160 and CVE-2026-50507 do not name specific researchers, instead offering a general acknowledgement to the security community.
Adding to the intrigue, Nightmare Eclipse claims to be a former Microsoft employee, a claim Microsoft has not officially commented on. The researcher has also pledged to release more zero-day exploits for Windows on July 14th, coinciding with the next Patch Tuesday. Following the release of the June patches, the researcher also claimed to have published an exploit for a zero-day vulnerability in Windows Defender.
Beyond the Patch Tuesday count, the total number of vulnerabilities addressed by Microsoft this month is significantly higher. Rapid7's Adam Barnett points out that Microsoft has already patched 360 browser vulnerabilities in June alone, a number far exceeding typical monthly figures. These browser vulnerabilities, often related to Chromium, are typically not included in the Patch Tuesday count, and Microsoft has ceased enumerating Chromium CVEs in its Security Update Guide.
Microsoft also rushed out a fix for a zero-day vulnerability in Visual Studio Code on June 3rd, which could allow attackers to steal GitHub tokens with a single click. This rapid response followed a researcher's public disclosure of the exploit, who stated they opted not to engage with Microsoft due to a past experience where a reported flaw was silently patched without credit.
In related security news, Adobe has released updates for numerous critical vulnerabilities across its product suite, including Adobe Experience Manager, Acrobat Reader, and Cold Fusion. Google also recently addressed a record 429 vulnerabilities in its latest Chrome browser update. This wave of extensive patching underscores the dynamic and challenging threat landscape, emphasizing the critical importance of timely updates and robust security practices.