Microsoft smashes document for largest ever Patch Tuesday replace
Microsoft has issued patches for about 200 flaws in its newest month-to-month Patch Tuesday drop, blasting previous a earlier document excessive of virtually 170 frequent vulnerabilities and exposures (CVEs) set in October 2025.
Amongst an ideal many others, the newest replace from Redmond fixes a complete of 32 vital CVEs and three zero-day flaws.
Dustin Childs, head of risk consciousness at TrendAI’s Zero Day Initiative, mentioned: “We’re heading right into a high-stakes summer time for cyber safety. June’s record-shattering drop … is a stark warning that AI is supercharging flaw discovery at an uncontrollable scale. The present variety of CVEs shipped by Microsoft this yr exceeds the overall variety of CVEs shipped in all of 2018. It’s extraordinary that Microsoft can produce so many patches in a single month, and I count on many testers are questioning what high quality points might exist.”
And with the addition of a whole bunch of CVEs in Google Chrome and Microsoft Edge (Chromium) and different third-party flaws taking the overall to virtually 600, Chris Goettl, vp of safety product administration at Ivanti, mentioned discuss of a ‘Patch Apocalypse’ was not unwarranted.
“We’re within the Patch Apocalypse. The Patch Apocalypse is now,” mentioned Goettl. “This isn’t meant to be a scare tactic. It’s meant to stipulate the problem that many organisations have been anticipating, however the brand new era of LLMs [Large Language Models] has accelerated considerably within the first half of 2026.
“There are going to be extra CVEs resolved by distributors at a quicker and extra steady tempo than we have now ever seen beforehand. Sadly, this will even embrace extra zero-day and n-day exploits than beforehand seen as effectively. The window from launch from a vendor to exploitation had already shortened to 5 days as of 2023 risk intelligence information.”
Goettl mentioned that many suppliers have acknowledged the necessity to use AI instruments of their safety analysis to establish and resolve flaws, with Oracle, Google Chrome and Mozilla all upping the cadence of their updates. Whether or not or not Microsoft follows go well with stays to be seen.
Zero-days
This month’s zero-days are tracked as follows, in numerical order:
- CVE-2026-45586, an elevation of privilege (EoP) flaw in Home windows Collaborative Translation Framework (CTFMON);
- CVE-2026-49160, a denial of service (DoS) flaw in HTTP.sys;
- And CVE-2026-50507, a safety function bypass (SFB) flaw in Home windows BitLocker.
All three of those flaws carry CVSS scores of between six and eight, and all three have been reported publicly, however usually are not but recognized to have been exploited.
Alex Vovk, CEO and Co-Founding father of Action1, defined how CVE-2026-45586 may allow an area, authenticated attacker to realize system-level privileges with ease.
“The problem is brought on by improper hyperlink decision earlier than file entry, also called hyperlink following. A low-privilege foothold can turn into full system management when Home windows follows the incorrect hyperlink on the incorrect time,” mentioned Vovk.
“System entry can enable malware set up, protection evasion, credential theft, information modification, and deeper motion throughout the setting. For companies, this could enhance the impression of phishing, stolen credentials, or compromised commonplace person accounts.
“This patch ought to be prioritised. Though energetic exploitation will not be reported, such a bug can flip a minor native compromise into full endpoint management,” he added.
In the meantime, CVE-2026-49160 in HTTP.sys stems from an uncontrolled useful resource consumption situation that might enable an unauthenticated risk actor to trigger a DoS over the community.
“Whereas the vulnerability doesn’t expose information or enable code execution, it might disrupt companies that rely on affected Home windows methods,” mentioned Action1 president and co-founder Mike Walters.
“Profitable exploitation may disrupt net companies, inside functions, APIs [application programming interfaces], and enterprise methods that depend on affected Home windows HTTP companies. Outages might result in downtime, failed transactions, lack of productiveness, buyer impression, and elevated operational response prices.”
With exploitation thought-about extra probably, CVE-2026049160 is one other prime candidate for prioritisation, significantly since it’s each network-accessible and requires zero authentication.
Lastly, CVE-2026-50507 in Home windows BitLocker – arising from a safety mechanism failure in how BitLocker handles system encryption – allows an attacker to entry encrypted, saved information without having for credentials, if they’ve bodily entry to the system.
Whereas the necessity for bodily entry will probably be an efficient blocker for a lot of attackers, the potential impression is important, as Action1 vulnerability analysis director Jack Bicer famous.
“BitLocker is often relied upon to guard delicate enterprise and private information when gadgets are misplaced, stolen, or accessed by unauthorised people,” he mentioned. “A profitable bypass undermines this safety management and might expose confidential enterprise data, buyer information, mental property, monetary data, and controlled information.
“In environments the place endpoint encryption is a compliance requirement, exploitation may lead to regulatory publicity, breach notification obligations, reputational harm, and monetary losses.”
Companies with dispersed cellular estates and plentiful distant or hybrid staff ought to prioritise the repair for CVE-2026-50507, mentioned Bicer.
