Microsoft Ships Record June 2026 Patch Tuesday Update, Fixing Nearly 200 Flaws

Microsoft has released its June 2026 Patch Tuesday updates, addressing close to 200 security vulnerabilities across Windows and supported products. The total marks a new high for the company’s monthly...

Microsoft has released its June 2026 Patch Tuesday updates, addressing close to 200 security vulnerabilities across Windows and supported products. The total marks a new high for the company’s monthly maintenance cycle, and nearly three dozen of the issues were classified as critical.

At least three of the vulnerabilities already have publicly available exploit code, raising the urgency for organizations that manage Windows environments. Security researchers said the size of this month’s release reflects a broader trend: both vendors and attackers are increasingly using AI-assisted methods to uncover flaws faster than in previous years.

Notable zero-day issues

Among the most important fixes is CVE-2026-49160, a denial-of-service vulnerability affecting multiple web server implementations, including Microsoft Internet Information Services. Microsoft said the issue was reported by OpenAI’s Codex. The company also patched CVE-2026-50507, an elevation-of-privilege flaw in BitLocker, and CVE-2026-45586, another elevation-of-privilege issue tied to the Windows Collaborative Translation Framework.

Two of this month’s zero-days were linked to disclosures from a researcher operating under the alias Nightmare Eclipse, who has recently published exploit code for a number of Windows bugs. One of the publicly discussed exploits, GreenPlasma, targets the translation framework flaw. Another, YellowKey, focused on a BitLocker weakness that could expose encrypted data on a system with physical access.

Microsoft’s handling of the researcher drew attention last month after the company suggested it might pursue legal action. It later clarified that it does not intend to sue security researchers, though it may notify authorities if laws are broken.

Broader patching activity

Security teams noted that the Patch Tuesday count does not include browser updates. According to Rapid7, Microsoft has already issued fixes for hundreds of Chromium-related browser vulnerabilities this month as well. Microsoft also addressed a zero-day in Visual Studio Code that could let an attacker steal GitHub tokens with a single click.

  • Nearly 200 Microsoft vulnerabilities fixed in June
  • Almost 30 critical issues included
  • At least three flaws have public exploit code
  • Browser and developer-tool fixes add to the total patch burden

Administrators are being advised to prioritize deployment, test updates in stages, and back up important data before applying system-wide changes.