Microsoft just released a record 206 Microsoft security patches for June 2026. That's not a typo. Two hundred and six fixes.
Of these, 39 are rated Critical and 167 are rated Important in severity. To put that number in perspective: Microsoft shipped more vulnerabilities in this single month than in all of 2018.
The breakdown tells a clear story about where attackers are focusing:
63 privilege escalation vulnerabilities
56 remote code execution flaws
30 information disclosure issues
27 spoofing vulnerabilities
20 security feature bypasses
7 denial-of-service flaws
3 tampering vulnerabilities
Three of these flaws were publicly disclosed before patches were available. That means attackers already knew about them.
The Critical Flaws You Need to Know About
CVE-2026-45657 (CVSS 9.8) – Windows Kernel RCE
This is the big one. A use-after-free vulnerability in the Windows Kernel allows remote code execution. Malicious network traffic can be sent to an unprotected version of Windows by an attacker. If the attack is successful, the packets sent can exploit a flaw in the processing of TCP/IP on the Windows kernel.
When this happens, the attacker can execute code from SYSTEM-level access; they will be able to accomplish this without a user account, without any user interaction and simply through sending legitimate network traffic.
CVE-2026-47291 (CVSS 9.8) – Windows HTTP.sys Integer Overflow
Another network-based remote code execution flaw. This one lives in HTTP.sys, the core component that handles HTTP requests in Windows. An integer overflow or wraparound bug lets an unauthorized attacker execute code over the network.
CVE-2026-44815 (CVSS 9.8) – Windows DHCP Client Buffer Overflow
A stack-based buffer overflow in the Windows DHCP Client. Alex Vovk, CEO of Action1, called this one particularly dangerous: "This flaw needs no credentials or user action and can turn network traffic into a full system compromise."
Here's why that matters. DHCP is a core network function. Every device on most networks uses it to get an IP address. An attacker who sends malicious DHCP traffic could compromise servers, deploy malware, steal data, and move deeper into your network.
If your systems handle DHCP traffic, patch them immediately.
The BitLocker Bypasses: YellowKey, bitskrieg, and GreenPlasma
Remember Chaotic Eclipse? The anonymous researcher who has been publicly disclosing Microsoft vulnerabilities? Several of their findings are patched in this record 206 Microsoft security patches release.
CVE-2026-45585 (CVSS 6.8) fixes a BitLocker bypass called YellowKey. The researcher released a proof-of-concept exploit for this last month.
CVE-2026-50507 (CVSS 6.8) addresses another BitLocker bypass dubbed bitskrieg. Security researcher Will Dormann confirmed this gives full access to encrypted data.
CVE-2026-45586 (CVSS 7.8) is suspected to be the fix for GreenPlasma, a privilege escalation exploit in the Windows Collaborative Translation Framework (CTFMON).
All three of these were publicly disclosed before patches existed. CVE-2026-50507, CVE-2026-49160, and CVE-2026-45586 are officially listed as publicly disclosed zero-days.
HTTP2/Bomb: Taking Down Web Servers in Seconds
CVE-2026-49160 (CVSS 7.5) addresses a denial-of-service vulnerability in HTTP.sys related to an attack technique called HTTP2/Bomb.
In tests conducted by security researchers, an IIS server exhausted 64 GB of RAM in about 45 seconds. That's a server going from normal operation to completely unresponsive in under a minute.
Microsoft's fix introduces a new registry setting called MaxHeadersCount to limit the number of headers in HTTP/2 and HTTP/3 requests.
If you run IIS servers, you should test and deploy this patch quickly. And consider implementing the header limit even if you can't patch immediately.
The MiniPlasma Story: An Incomplete Fix from 2020
One of the more unusual fixes in this record 206 Microsoft security patches release addresses a vulnerability called MiniPlasma.
Here's the backstory. CVE-2020-17103 was originally patched by Microsoft in December 2020. But Chaotic Eclipse discovered that the fix was incomplete. The researcher publicly disclosed MiniPlasma as a bypass for the original patch.
Microsoft's June 2026 update finally closes that gap. The company now recommends installing these updates to "comprehensively address" the vulnerability.
Four and a half years between patch and complete fix. That's a long time.
Why Are There So Many Patches?
The short answer: AI.
Security researchers and attackers alike are using artificial intelligence to find vulnerabilities faster than ever before. Microsoft itself acknowledges this trend will continue.
"Pandora's proverbial box has been opened," said Satnam Narang, senior staff research engineer at Tenable. "As more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday."
Dustin Childs of TrendAI's Zero Day Initiative put it bluntly: "The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018. It is extraordinary that Microsoft can produce so many patches in a single month, and I expect many testers are wondering what quality issues may exist."
That last point matters. When you ship 206 patches in one month, the risk of introducing new bugs increases significantly.
What About Microsoft Edge?
These record 206 Microsoft security patches don't include the Chromium fixes that affect Microsoft Edge. Google addressed more than 350 security flaws in Chromium recently. Those fixes are incorporated into Edge as well.
So the real number of patches for Microsoft products this month is even higher.
How to Prioritize
You cannot install 206 patches all at once on every system. Here's how to prioritize:
Patch immediately (within 48 hours):
1. CVE-2026-45657 (Windows Kernel RCE)
2. CVE-2026-47291 (HTTP.sys RCE)
3. CVE-2026-44815 (DHCP Client RCE)
Patch within one week:
1. All three BitLocker bypasses (CVE-2026-45585, CVE-2026-50507, plus the publicly disclosed zero-days)
2. CVE-2026-49160 (HTTP2/Bomb DoS)
3. CVE-2026-45586 (CTFMON privilege escalation)
Patch within your normal monthly cycle:
The remaining 197 vulnerabilities
The Bottom Line
The record 206 Microsoft security patches for June 2026 represent a new normal. AI-assisted vulnerability discovery is flooding the disclosure pipeline. Microsoft is struggling to keep up, and attackers are already exploiting some flaws before patches exist.
Test and deploy the critical network-based RCE fixes immediately. The DHCP client flaw alone - no user interaction, no credentials required - should be enough to move this Patch Tuesday to the top of your priority list.
FAQ Section
How many patches did Microsoft release in June 2026?
Microsoft released a record 206 security patches, including 39 Critical and 167 Important severity vulnerabilities.
What are the most critical flaws in this Patch Tuesday?
The top three critical flaws are CVE-2026-45657 (Windows Kernel RCE), CVE-2026-47291 (HTTP.sys integer overflow), and CVE-2026-44815 (DHCP client buffer overflow). All three have CVSS scores of 9.8.
Have the vulnerabilities been disclosed prior to being patched?
Yes, all three of the vulnerabilities assigned with CVE-2026-50507, CVE-2026-49160 and CVE-2026-45586 were publicly disclosed as zero-day vulnerabilities and then patched later by Microsoft.
What is a Bomb in HTTP2?
Bomb is a type of denial-of-service attack, that overwhelms server memory; when sending multiple specially crafted HTTP2 headers, according to testing, an IIS based web server ran out of memory on 64GB of RAM in approximately 45 seconds.
Why are there so many patches this month?
Security researchers are using AI-assisted vulnerability discovery tools, which are finding flaws at an unprecedented scale. Microsoft expects this trend to continue.
When should I be patching these systems?
The three critical RCE vulnerabilities that are available via the Network based RCE vulnerabilities (CVE-2026-45657, CVE-2026-47291 and CVE-2026-44815) should be patched within 48 hours and the zero-day vulnerabilities that were publicly announced should be patched within a week of being disclosed.
