Mon 06 Jul 2026 / 13:12 ET
Kernel
Security 4 min read

Microsoft fixes nearly 200 flaws in record Patch Tuesday

June’s Microsoft security release includes critical Windows fixes, public exploit code, AI-reported bugs and a messy disclosure fight.

Mara Chen-Doyle

By Mara Chen-Doyle / Staff Writer

Microsoft shipped updates for nearly 200 security flaws across Windows and supported products in its June Patch Tuesday release, the largest monthly patch load the company has issued for that cycle. Microsoft rated nearly three dozen of the vulnerabilities critical, and exploit code for at least three flaws is already public.

For administrators, the practical message is boring and unpleasant: this is a big testing and deployment week. Several of the bugs affect core Windows components or developer tooling, and some have moved beyond theoretical risk because researchers have published working attack details.

Satnam Narang, senior staff research engineer at Tenable, said the volume may reflect a broader change in vulnerability hunting. Microsoft said in a May blog post that its engineers and outside researchers are increasingly using artificial intelligence tools to find bugs. Narang said some surveys put AI use among security professionals at about 90 percent, and he expects patch volumes to keep rising as stronger models become available.

Zero-days and public exploits

One June zero-day, CVE-2026-49160, is a denial-of-service flaw affecting multiple web servers, including Microsoft Internet Information Services. Microsoft said the issue was reported by OpenAI’s Codex.

Two other patched flaws appear tied to disclosures by a researcher using the name Nightmare Eclipse, who has been releasing Windows exploit material. One exploit, called GreenPlasma, uses an elevation-of-privilege weakness in the Windows Collaborative Translation Framework. Microsoft’s June release includes CVE-2026-45586, a patch for that framework.

Nightmare Eclipse also released YellowKey, described as an exploit for a Windows BitLocker issue that lets an attacker with physical access view encrypted data. Microsoft’s June patches include CVE-2026-50507, an elevation-of-privilege fix for BitLocker.

Microsoft drew criticism last month after saying in a blog post that it was considering legal action against the researcher. The company later said on X that it did not intend to sue researchers, but would report people to authorities if they broke the law. Microsoft’s advisories for CVE-2026-49160 and CVE-2026-50507 do not name individual researchers in the acknowledgements.

Nightmare Eclipse claims to be a former Microsoft employee, a claim Microsoft has not answered publicly. Rapid7 noted that a recent Nightmare Eclipse post used an image of Albert Wesker, a Resident Evil character who worked as a researcher before going rogue. Cute theme, ugly operational problem.

The researcher has promised more Windows zero-day releases on July 14, the date of next month’s Patch Tuesday. After Microsoft published the June fixes, Nightmare Eclipse posted what they claimed was an exploit for a Windows Defender zero-day.

Browser and developer tool fixes add to the count

Rapid7’s Adam Barnett said the nearly 200 Patch Tuesday entries understate Microsoft’s total June security work. Barnett wrote that Microsoft has already provided patches for 360 browser vulnerabilities this month, far above typical monthly levels in recent years. Browser flaws are not included in the Patch Tuesday total, and Barnett said Microsoft no longer lists Chromium CVEs individually in its Security Update Guide because of the sustained increase.

Microsoft also patched a Visual Studio Code zero-day that can let attackers steal GitHub tokens with a single click. The company issued an interim fix on June 3 after a researcher published exploitation instructions. The researcher said they avoided Microsoft’s coordinated disclosure process because Microsoft had previously patched a reported flaw without giving credit or recognition.

Microsoft also had an internal supply-chain mess last week. Researchers said at least 72 public Microsoft code repositories were infected with a variant of the Shai-Hulud worm. StepSecurity reported that the affected packages were connected to Microsoft’s official Azure Durable Task SDK, which Open Source Malware said had been hit by the same worm in May.

Other vendors are pushing large security updates too. Adobe released fixes for critical vulnerabilities in products including Adobe Experience Manager, Acrobat Reader and ColdFusion. Google fixed 429 Chrome vulnerabilities on June 3. Chrome downloads updates automatically, but users often need to restart the browser before the update actually takes effect.

This story draws on original reporting from Krebs on Security.

More Security/

view all ↗