Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs

Summary

Microsoft has released a record-breaking 206 security patches, addressing a significant number of vulnerabilities across its software. Among these are three zero-day flaws that were publicly disclosed at the time of release, along with 39 Critical and 167 Important severity vulnerabilities. The patches include fixes for critical remote code execution (RCE) bugs in Windows Kernel and HTTP.sys, as well as several security feature bypasses affecting BitLocker.

Full text

Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ravie LakshmananJun 10, 2026Vulnerability / Zero-Day Microsoft on Tuesday released fixes for a record 206 security vulnerabilities impacting its software portfolio, including three flaws that have been publicly disclosed at the time of release. Of the 206 flaws, 39 are rated Critical, and 167 are rated Important in severity. This includes 63 privilege escalation, 56 remote code execution, 30 information disclosure, 27 spoofing, 20 security feature bypass, seven denial-of-service, and three tampering vulnerabilities. The patches also include two non-Microsoft CVEs, a privilege escalation vulnerability impacting Windows Kernel (CVE-2025-10263) and a UEFI Secure Boot security feature bypass (CVE-2026-8863). They are in addition to more than 350 security flaws that Google has addressed in Chromium, which is used in Microsoft's Edge browser. Topping the list of fixes is CVE-2026-45657 (CVSS score: 9.8), a use-after-free flaw affecting Windows Kernel that could result in remote code execution. "An attacker could exploit this vulnerability by sending specially crafted network traffic to a vulnerable Windows system," Microsoft said. "If successful, the malicious network packets could trigger a flaw in how the Windows kernel processes certain TCP/IP data, potentially allowing the attacker to run code with system-level privileges without needing to sign in or interact with a user." Other important vulnerabilities of note are listed below - CVE-2026-47291 (CVSS score: 9.8) - An integer overflow or wraparound flaw in Windows HTTP.sys that allows an unauthorized attacker to execute code over a network. CVE-2026-44815 (CVSS score: 9.8) - A stack-based buffer overflow vulnerability in Windows DHCP Client that allows an unauthorized attacker to execute code over a network. "This flaw needs no credentials or user action and can turn network traffic into a full system compromise," Alex Vovk, CEO and co-founder of Action1, said about CVE-2026-44815. "An attacker could send specially crafted network traffic to a system configured for DHCP services." "Successful exploitation could allow unauthorized code execution over the network with high impact to confidentiality, integrity, and availability. This vulnerability creates serious risk because DHCP is a core network function. Successful exploitation could lead to server compromise, malware deployment, data theft, service disruption, and movement deeper into the network. Systems handling DHCP traffic should be treated as high-priority patch targets." Microsoft has also released patches to address CVE-2026-45585 (CVSS score: 6.8), a Windows BitLocker security feature bypass vulnerability for which a proof-of-concept (PoC) exploit called YellowKey was released by security researcher Chaotic Eclipse (aka Nightmare-Eclipse) last month. CVE-2026-45585 is one of several secure feature bypasses that the Windows makers has addressed this month - CVE-2026-45655 (CVSS score: 5.3) CVE-2026-45658 (CVSS score: 7.8) CVE-2026-50507 (CVSS score: 6.8) "A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device," Microsoft said in its advisories for the three issues. "An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data." According to security researcher Will Dormann, CVE-2026-50507 is assessed to be a fix for a BitLocker bypass dubbed bitskrieg that grants full access to encrypted data. It's worth noting that CVE-2026-50507, along with CVE-2026-49160 and CVE-2026-45586, are listed as publicly disclosed zero-days. CVE-2026-45586 (CVSS score: 7.8) - Windows Collaborative Translation Framework (CTFMON) privilege escalation vulnerability CVE-2026-49160 (CVSS score: 7.5) - HTTP.sys denial-of-service vulnerability CVE-2026-49160 is related to HTTP2/Bomb, an attack technique that can be used to knock web servers offline in seconds. In tests conducted by Calif, an IIS server was found to exhaust 64 GB RAM in about 45 seconds. To mitigate the attack, Microsoft has introduced a new "MaxHeadersCount" registry setting to limit the number of headers in HTTP/2 and HTTP/3 requests. "Limiting HTTP headers can help protect systems and servers from excessive memory use, high CPU consumption, and denial-of-service attacks," Microsoft said. "Because HTTP/2 (HPACK) or HTTP/3 (QPACK) header compression is used and more complex protocol processing, enforcing a header limit such as MaxHeadersCount can help maintain performance and reliability." On the other hand, CVE-2026-45586 is suspected to be a fix for a zero-day privilege escalation exploit that Chaotic Eclipse released under the name GreenPlasma. Lastly, the June 2026 update also plugs MiniPlasma, a separate vulnerability disclosed by Chaotic Eclipse as an incomplete fix for CVE-2020-17103, which was originally addressed by Microsoft in December 2020. "To comprehensively address the vulnerability identified by CVE-2020-17103 and recently publicly referred to as 'MiniPlasma,' Microsoft recommends installing the June 2026 updates for your Windows operating systems," the tech giant said in an update to its advisory. The increasing number of patches has been attributed to the use of artificial intelligence (AI)-assisted vulnerability discovery approaches, a trend that Microsoft said will continue in the foreseeable future. "Pandora's proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday," Satnam Narang, senior staff research engineer at Tenable, said in a statement. Dustin Childs, head of threat awareness at TrendAI's Zero Day Initiative (ZDI), described the massive drop in Microsoft vulnerabilities as a testament to how AI is supercharging flaw discovery at an uncontrollable scale. "The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018," Childs said. "It is extraordinary that Microsoft can produce so many patches in a single month, and I expect many testers are wondering what quality issues may exist." The patches come as Chaotic Eclipse released a PoC exploit for yet another Microsoft Defender zero-day named RoguePlanet, characterizing it as a race condition that could be used to spawn a Windows command prompt with SYSTEM privileges. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  BitLocker, cybersecurity, Microsoft, patch Tuesday, privilege escalation, remote code execution, Vulnerability, Windows, Zero-Day ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, Clic

Indicators of Compromise

• cve — CVE-2025-10263
• cve — CVE-2026-8863
• cve — CVE-2026-45657
• cve — CVE-2026-47291
• cve — CVE-2026-44815
• cve — CVE-2026-45585
• cve — CVE-2026-45655
• cve — CVE-2026-45658
• cve — CVE-2026-50507
• cve — CVE-2026-45586
• cve — CVE-2026-49160

Entities