Microsoft Fixes Record 206 Vulnerabilities, Including 3 Zero-Days

Microsoft addressed a record-breaking 206 security vulnerabilities in its latest Patch Tuesday update, released on June 11, 2026. Among the extensive list of fixes were three zero-day exploits that had already been disclosed publicly, alongside numerous critical flaws enabling remote code execution and privilege escalation. This massive patching effort underscores the growing complexity and volume of threats facing digital systems.

The total number of vulnerabilities patched this month includes 39 rated as Critical and 167 as Important. These break down into 63 privilege escalation flaws, 56 for remote code execution, 30 for information disclosure, 27 for spoofing, 20 for security feature bypasses, seven for denial-of-service, and three for tampering. The update also incorporates fixes for two non-Microsoft specific vulnerabilities affecting the Windows Kernel and UEFI Secure Boot, bringing the total number of addressed security issues to well over 350 when considering recent fixes for the Chromium browser.

Critical Flaws Requiring Immediate Attention

Topping the list of critical patches is CVE-2026-45657, a use-after-free vulnerability in the Windows Kernel with a CVSS score of 9.8. Microsoft stated that an attacker could exploit this flaw by sending specially crafted network traffic to a vulnerable system, potentially allowing them to execute code with system-level privileges without needing user interaction. This type of vulnerability poses a significant risk as it can be exploited remotely.

Other notable critical vulnerabilities include CVE-2026-47291 (CVSS 9.8), an integer overflow flaw in Windows HTTP.sys that enables unauthorized remote code execution, and CVE-2026-44815 (CVSS 9.8), a stack-based buffer overflow in the Windows DHCP Client that also allows for remote code execution. Alex Vovk, CEO and co-founder of Action1, highlighted the severity of CVE-2026-44815, noting that it "needs no credentials or user action and can turn network traffic into a full system compromise." He further warned that successful exploitation could lead to "server compromise, malware deployment, data theft, service disruption, and movement deeper into the network," emphasizing that systems handling DHCP traffic are high-priority targets.

The patches also address security feature bypasses, including CVE-2026-45585 for Windows BitLocker, which had a proof-of-concept exploit named YellowKey released by researcher Chaotic Eclipse. Further bypass vulnerabilities include CVE-2026-45655 and CVE-2026-45658. Microsoft noted that a successful attacker could bypass BitLocker Device Encryption, potentially granting access to encrypted data, especially with physical access.

Specifically, CVE-2026-50507 is believed to fix a BitLocker bypass dubbed 'bitskrieg.' This particular update, along with CVE-2026-49160 and CVE-2026-45586, are classified as publicly disclosed zero-days. CVE-2026-45586 targets the Windows Collaborative Translation Framework (CTFMON) for privilege escalation, while CVE-2026-49160 addresses an HTTP.sys denial-of-service vulnerability.

The HTTP.sys fix, CVE-2026-49160, is linked to an attack technique known as HTTP2/Bomb, capable of bringing web servers offline rapidly. Microsoft has introduced a new registry setting, "MaxHeadersCount," to limit HTTP headers in requests for HTTP/2 and HTTP/3, aiming to prevent excessive memory and CPU consumption and protect against denial-of-service attacks.

Another zero-day, CVE-2026-45586, is suspected to be a fix for a privilege escalation exploit called 'GreenPlasma,' also released by Chaotic Eclipse. Additionally, the June 2026 update addresses 'MiniPlasma,' a vulnerability disclosed by Chaotic Eclipse as an incomplete fix for a 2020 issue (CVE-2020-17103). Microsoft advises users to install the latest updates to comprehensively address this long-standing vulnerability.

Microsoft attributes the surge in patched vulnerabilities, in part, to the increasing use of artificial intelligence (AI)-assisted discovery tools. This trend is expected to continue, with experts anticipating that the volume of discovered flaws will only grow. Satnam Narang, senior staff research engineer at Tenable, commented that "Pandora's proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday." Dustin Childs, head of threat awareness at TrendAI's Zero Day Initiative (ZDI), described the extensive patching as a testament to how AI is accelerating flaw discovery, noting that the number of CVEs this year already surpasses the total for 2018. He also raised questions about the quality assurance processes involved in such rapid patching.

The company also released a patch for a Microsoft Defender zero-day, 'RoguePlanet,' which functions as a race condition exploit that could grant SYSTEM privileges. This extensive set of updates highlights the ongoing battle against cyber threats and the critical importance of timely patching for all users and organizations.