June 2026 Patch Tuesday Shatters Records

▼ Summary
– Microsoft released a record 200 security patches for June’s Patch Tuesday, with nearly three dozen rated “critical” and exploit code public for at least three flaws.
– AI tools are increasingly used by engineers and security researchers to find bugs, which may make large patch volumes the new normal.
– Two zero-day bugs stem from disclosures by researcher “Nightmare Eclipse,” who claims to be a former Microsoft employee and has pledged more exploit releases.
– Microsoft patched a Visual Studio Code zero-day that allows GitHub token theft, after a researcher published exploit instructions due to a dispute over credit.
– Other major software makers, including Adobe and Google, also shipped large update bundles this month, with Google fixing 429 Chrome vulnerabilities.
Microsoft’s June 2026 Patch Tuesday has shattered all previous records, with the company releasing fixes for nearly 200 security vulnerabilities across Windows and supported software. Of those, almost three dozen earned the company’s most severe “critical” rating, and exploit code for at least three of the flaws is already publicly available.
The sheer volume of patches may not be a one-off event. Microsoft noted in a blog post last month that both its engineers and the broader security community are increasingly using artificial intelligence tools to identify bugs. Satnam Narang, senior staff research engineer at Tenable, said this suggests the trend is here to stay. “Some surveys put AI usage among security professionals generally at 90%, so it’s unsurprising that this volume of patches may be the norm,” Narang explained. “Pandora’s proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday.”
Among the zero-day bugs addressed this month is CVE-2026-49160, a denial of service vulnerability affecting a range of web servers, including Microsoft Internet Information Services (IIS). Microsoft says the flaw was reported by OpenAI’s Codex.
Two of the zero-days appear to originate from recent disclosures by Nightmare Eclipse, a pseudonymous security researcher who claims to be a former Microsoft employee. One of those, dubbed “GreenPlasma,” exploits an elevation of privilege weakness in the Windows Collaborative Translation Framework, the same framework patched in CVE-2026-45586. Last month, Nightmare Eclipse also released “YellowKey,” an exploit for a Windows BitLocker vulnerability that allows an attacker with physical access to view encrypted data. CVE-2026-50507 is a patch for an elevation of privilege bug in BitLocker.
Microsoft faced significant backlash on social media last month after suggesting in a blog post that it might pursue legal action against the researcher. The company later clarified on Twitter/X that while it has no intention of suing researchers, it would report them to authorities if they break the law. Notably, the advisories for CVE-2026-49160 and CVE-2026-50507 do not credit any researchers in the acknowledgement section, stating only that “Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.”
Nightmare Eclipse has pledged to release even more zero-day exploits for Windows in what they call a “bone shattering” drop planned for July 14, the same day as next month’s Patch Tuesday. Immediately after Microsoft’s patches went live today, the researcher published an exploit for what they claimed was a zero-day bug in Windows Defender.
While 200 vulnerabilities may be a record for Patch Tuesday, the actual number of security flaws Microsoft addressed this month is far higher. Rapid7’s Adam Barnett noted that “so far this month, Microsoft has provided patches to address 360 browser vulnerabilities, which is an order of magnitude more than has been typical in any given month over the past few years.” As usual, browser flaws are not included in the Patch Tuesday count. Barnett added that “the vast, and presumably sustained, uptick in the number of browser vulnerabilities has led to Microsoft no longer enumerating Chromium CVEs in the Security Update Guide.”
Microsoft also patched a zero-day vulnerability in Visual Studio Code that allows attackers to steal GitHub tokens with a single click. The company was forced to push a stopgap fix on June 3 after a researcher published instructions showing how to exploit it. The researcher said they opted not to work with Microsoft because of a recent experience where Redmond silently patched a flaw they reported without offering credit.
Microsoft battled its own internal zero-day emergencies last week after at least 72 of its public code repositories were infected with a variant of the Shai-Hulud worm. Researchers found that all affected packages were connected to Microsoft’s official Azure Durable Task SDK, which was hit by the same worm in May.
Other major software makers are also shipping outsized update bundles this month. Adobe has released fixes for a massive number of critical vulnerabilities across products including Adobe Experience Manager, Acrobat Reader, and ColdFusion. On June 3, Google resolved 429 vulnerabilities in its latest Chrome browser update. Chrome automatically downloads updates, but installing them usually requires a complete restart of the browser.
As always, back up your data before applying operating system updates, and let us know in the comments if you run into any issues with this month’s patches.
(Source: Krebs on Security)