Microsoft Patch Tuesday breaks records with 198+ fixes as AI accelerates bug discovery

Microsoft patches record 198 Windows bugs in June update - and 3 are zero days

Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways * Microsoft's June update patches a record 198 security flaws. * Some 32 are rated critical, while three are zero-day flaws. * The update also adds several helpful new features to Windows 11. Microsoft's monthly Patch Tuesday updates typically fix a number of security bugs, which is why Windows users should almost always install them. But this month boasts a new record with 198 vulnerabilities being patched, the largest in recent history. And with many of the flaws rated critical and three already publicly disclosed, you'll definitely want to grab this one. Also: My 5-step security checklist for every new Windows PC As usual, this month's updates are described in three separate KB articles -- KB5094126 for Windows 11 24H2 and 25H2, KB5093998 for Windows 11 23H2, and KB5094127 for Windows 10. Since these are mandatory updates, they will automatically download and install. But you should still double-check, especially since you have to reboot your PC for them to take effect. Bugs squashed with AI's help In Windows 11, head to Settings and select Windows Update. If the status indicates a pending restart, then just reboot your computer. Otherwise, click the button to check for updates and allow them to run. For Windows 10, you need to be enrolled in the Extended Security Updates (ESU) program. In that case, go to Settings and select Update & Security. If necessary, click the button to check for updates and let them download and install. Why and how did Microsoft squash a record number of bugs this month? The answer is AI. Tech companies are increasingly using models like Anthropic's Claude Mythos to help find and fix more vulnerabilities, much more quickly than in the past. In April, Mozilla patched 271 security flaws in Firefox, assisted by an early version of Claude Mythos Preview. "The unusually high volume of disclosures reflects a broader trend in vulnerability research, where advances in AI-assisted analysis and initiatives such as Mythos are helping researchers uncover flaws at a much faster pace than before," patch management provider Action1 said in an advisory. As for the bugs themselves, the patches for the 32 critical ones offer reason enough to install the update. But the three zero-days amp up the severity because they're publicly disclosed. That means they haven't yet been actively exploited in the wild. But details on them were publicly available before Microsoft resolved them, so attackers could exploit them on PCs that haven't been patched. Also: How to upgrade your 'incompatible' Windows 10 PC to Windows 11 - for free With one zero-day, an attacker could gain Windows System privileges by exploiting a flaw that improperly resolves a link to a file. With the second one -- of greater concern to organizations -- an HTTP vulnerability could allow someone to stage a denial-of-service attack. And with the third one, a flaw in Windows BitLocker could let an attacker with physical access to an unpatched PC capture the encrypted data on the hard drive. Update includes these new Windows 11 features June's Patch Tuesday updates also bring a few new and improved features to Windows 11, as noted by Windows Latest. With older Secure Boot certificates set to expire this month, Microsoft continues to issue new certificates to supported PCs. A new feature called Low Latency Profile promises to speed up certain actions on your PC by sending a quick jolt to the processor. Windows 11 will now support shared audio devices, so you can connect more than one Bluetooth device to your computer at the same time. That means you and others can all watch the same TV show or listen to the same music on your PC via your own earbuds or headsets. Also: Build 2026: Microsoft's MDASH exits preview with 100+ specialized threat-hunting AI agents Another helpful enhancement: Your webcam can now handle multiple apps at the same time. You can then automatically use your camera for Zoom meetings, Google Meet video calls, Snapchat filters, and more without having to turn one off and turn another on. Finally, you can now choose a custom name for your user folder when you set up Windows 11. Previously, Windows would automatically create a folder name based on your username with no easy way for you to change it.

AI is making Patch Tuesday (kinda) fun again

Unless you're an admin or vulnerability manager - then you're totally screwed Microsoft set a record with its June Patch Tuesday release, addressing 206 CVEs across its products and shipping fixes for them, with 38 deemed critical and the rest important. Three are listed as publicly known, but none (so far) have been exploited in the wild. We have no idea how many of these June bugs were uncovered using AI tools. Unlike last month's patching event, when Redmond disclosed its agentic bug-hunting system found 16 of the 137 vulnerabilities, there's no word on any AI assists for new releases. Still, it's safe to assume AI played a major role. As Tom Gallagher, VP of engineering at Microsoft Security Response Center, said about May's Patch Tuesday with a whopping 30 critical flaws: "We expect releases to continue trending larger for some time." June's Patch Tuesday proved Gallagher correct, surpassing May in both overall volume and critical bugs. "I've been counting CVEs on Patch Tuesday since 2017, and this is by far the largest monthly release in that time," Zero Day Initiative's bug hunter in chief Dustin Childs said in his review. "It is extraordinary that Microsoft can produce so many patches in a single month, but it does raise concerns," he added, asking, as we did: How many were found via AI? And: "How many patches were generated using AI to assist in coding or testing? What quality issues may exist in these patches? And likely most importantly, is this the new normal?" Childs noted that May and April also saw mega releases. "Should sysadmins adjust their processes for prioritization and patch deployment based on this new volume of updates? Unfortunately, Microsoft is not providing those answers right now," he wrote, adding in this fun fact: "The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018." Wowza. While it's fun to watch from a purely speculative standpoint, as in: "Will Microsoft top 300 next month?", our thoughts and prayers are nonetheless with sysadmins and vulnerability management teams drowning in the AI-induced vulnpocalypse by now. None of the Patch Tuesday security holes are listed as under attack - at least not yet - but three are listed as publicly known. Let's take a look at those first. Three known vulnerabilities CVE-2026-49160 is an HTTP.sys denial of service vulnerability that we wrote about earlier this month. Calif researcher Quang Luong discovered the attack with an assist from OpenAI's Codex agent, named it HTTP/2 Bomb, and said it exploits the HTTP/2 header compression algorithm by sending thousands of tiny messages to the server, forcing it to rapidly allocate memory and ultimately crash. At the time, a Microsoft spokesperson told The Register that Redmond was "aware and actively investigating appropriate mitigations." On Tuesday, the tech giant fixed the security issue by introducing a new MaxHeadersCount registry setting, which allows users to limit the number of headers included in HTTP/2 and HTTP/3 requests, and should prevent denial-of-service attacks. CVE-2026-50507, a security feature bypass bug in Windows BitLocker, is the second CVE listed as publicly disclosed, and "exploitation more likely." An attacker with physical access to the vulnerable system could bypass the BitLocker Device Encryption feature and gain access to the device's encrypted data, according to the advisory. This flaw also seems to be a patch for one of the zero-days dropped in the ongoing war between Microsoft and a disgruntled bug hunter known as Nightmare Eclipse - likely the YellowKey vulnerability disclosed in May. Nightmare has published details about and in some cases, full proof-of-concept exploit code for six zero-days, and promised a "bone shattering" release on June 14. The third publicly known bug, CVE-2026-45586, is a Windows Collaborative Translation Framework (CTFMON) elevation of privilege vulnerability that can be abused by an authorized attacker to elevate privileges locally and gain SYSTEM access. From there, miscreants could deploy malware, steal data, and move laterally through the victim's environment - so patch this one sooner. Plus these two (of 38) critical bugs In addition to those three known vulnerabilities that made the rounds before Microsoft issued a patch, a couple of critical-rated 9.8 security flaws are worth highlighting this month. The first, CVE-2026-45657, is a Windows kernel remote code execution (RCE) bug that allows remote, unauthenticated attackers to run code with system-level privileges without any user interaction. It's due to an error in how the Windows kernel processes some TCP/IP data, and can be exploited by sending malicious network packets to a vulnerable Windows system, thus triggering the flaw. While it's listed as "exploitation less likely" by Redmond, we like Childs' response. "Rest assured that every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit," he said. "Test and deploy this patch quickly." CVE-2026-47291, an HTTP.sys RCE vulnerability that also earned a 9.8 CVSS rating, deserves attention as it can also be triggered with zero user interaction and Microsoft says it's "more likely" to be exploited. "This vulnerability creates severe business risk because HTTP.sys is used by Windows services that process HTTP traffic," Alex Vovk, CEO and co-founder of patch-management vendor Action1, told The Register. "A successful attack could lead to server takeover, malware deployment, data theft, service disruption, and lateral movement across the environment. Internet-facing systems are especially exposed." The good news: systems using the Windows HTTP stack's default MaxRequestBytes registry value are not affected. In the advisory, Redmond provides detailed instructions on how to edit registry settings, which can buy admins some time (and security) while deploying the patch. ®

Microsoft breaks Patch Tuesday record with fixes for over 200 security flaws

* June 2026 Patch Tuesday release fixes nearly 200 Windows vulnerabilities, Microsoft's largest release to date * It includes Chaotic Eclipse's GreenPlasma (CVE‑2026‑45586) and YellowKey (CVE‑2026‑45585), disclosed without coordination * AI‑driven bug discovery fueling record‑high patch volumes, expected to continue growing The June 2026 Patch Tuesday cumulative update for Microsoft's Windows operating system has been released - and is, by far, the biggest one the company has ever released. The update addresses almost 200 security vulnerabilities across Windows systems, as well as supported software, dozens of which are labeled as "critical", meaning they could cause serious damage to the users. Among the flaws are two vulnerabilities disclosed by Chaotic Eclipse, a mysterious researcher who conflicted with Microsoft recently over how vulnerabilities were reported, and researchers credited/compensated. Using AI to spot security issues By fixing almost 200 flaws, Microsoft essentially broke its own record - partly due to the use of Artificial Intelligence (AI). The first major issue is GreenPlasma, an elevation-of-privilege vulnerability in the Windows Collaborative Translation Framework (CTF). This bug, tracked as CVE-2026-45586, and given a severity score of 7.8/10 (high), allows a local attacker to gain higher privileges on Windows systems. The second is YellowKey, a Windows BitLocker Security Feature Bypass vulnerability tracked as CVE-2026-45585, and given a severity score of 6.8/10 (medium). The proof of concept (PoC) for this vulnerability has been made public, NVD said, which is in violation of coordinated vulnerability best practices. As a result, Microsoft said it was considering legal action against Chaotic Eclipse if they had been found to be breaking the law. In its follow-up advisory to Patch Tuesday, the company did not credit any researchers for these two flaws, only saying that it "recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure." Via Krebs on Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Microsoft patches record 200-plus vulnerabilities as AI accelerates bug discovery

Microsoft patches record 200-plus vulnerabilities as AI accelerates bug discovery Microsoft Corp. on Tuesday patched more than 200 security vulnerabilities, the most the company has ever fixed in a single Patch Tuesday, with researchers saying artificial intelligence bug-hunting is the reason the number keeps climbing. The previous record was 175 fixes, set last October. This month's batch carried 38 critical flaws and Microsoft shipped several of them only after the bugs were already public. The worst of the bunch was CVE-2026-45657, a use-after-free flaw in the Windows kernel's TCP/IP stack that scored 9.8 on the Common Vulnerability Scoring System scale. An attacker needed no credentials and no user interaction to exploit it. Microsoft says the bug is wormable on some networks. No public exploit had surfaced as of Wednesday. Attackers were already exploiting two of the patched vulnerabilities before Tuesday. One is tracked as CVE-2026-42897 and hits the Outlook Web Access component of Exchange Server. CISA added it to its Known Exploited Vulnerabilities catalog in May. The other, CVE-2026-41091, let an attacker escalate privileges through Microsoft Defender. Microsoft shipped an emergency fix for it in May and a formal one this month. Among the publicly disclosed zero-days is CVE-2026-49160, a denial-of-service flaw in HTTP.sys tied to an attack technique dubbed "HTTP/2 Bomb." Microsoft credited the bug to OpenAI Group PBC's Codex, one of the first publicly attributed cases of an AI system reporting a vulnerability in a major Patch Tuesday cycle. Two further zero-days stem from uncoordinated disclosures by a pseudonymous researcher known as Nightmare Eclipse, who published proof-of-concept code for a Windows Defender bug within hours of Tuesday's release. The record volume follows Microsoft's own push into AI-driven vulnerability discovery. The company last month detailed MDASH, an agentic scanning system that uses more than 100 AI agents and surfaced 16 previously unknown flaws patched in May. Researchers said the surge reflects a structural shift rather than a one-off spike. "We are heading into a high-stakes summer for cybersecurity," said Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, who told SiliconANGLE the release is "a stark warning that AI is supercharging flaw discovery at an uncontrollable scale." Childs noted that the number of vulnerabilities Microsoft has shipped this year already exceeds its total for all of 2018. "It is extraordinary that Microsoft can produce so many patches in a single month and I expect many testers are wondering what quality issues may exist," he said. The volume now extends well beyond the Patch Tuesday count itself. Adam Barnett, lead software engineer at managed cybersecurity company Rapid7 Inc., told SiliconANGLE that Microsoft shipped patches for 360 browser vulnerabilities this month, an order of magnitude above recent norms and has stopped enumerating Chromium bugs in its Security Update Guide as a result. "Other vulnerability categories, especially Linux kernel vulnerabilities, are seeing a similar increase in AI-assisted vulnerability reports," he added.