Microsoft pushed patches for a record 200+ vulnerabilities in its June Patch Tuesday. The figure comes after Verizon’s annual data breach report showed that software exploitation was the primary cause of data breaches for the first time – outstripping the use of credentials, or phishing, for the first time.

Among them, an authentication bypass CVSS 10 bug in Azure’s managed Postgres service HorizonDB. That’s been fixed upstream and Microsoft is standing firm on its Secure Futures Initiative (SFI) to allocate CVEs for cloud bugs even if they are, as they ultimately must be, invisibly patched.

Redmond’s monthly patch cycle is a useful proxy to track a steady growth in disclosed vulnerabilities. And, as the Zero Day Initiative’s Dustin Childs notes, it’s already pushed fixes for more bugs this year than it did in all of 2018. 

Childs fretted over the patch volume: “It is extraordinary that Microsoft can produce so many patches in a single month, but it does raise concerns. 

He wondered aloud: “How many of these cases were found using AI tools? How many patches were generated using AI to assist in coding or testing?”

“What quality issues may exist in these patches? 

Credit, Verizon.

Under attack? Defender.

One of the bugs patched by Microsoft this month is listed as under active exploitation: Microsoft Defender elevation of privilege (EOP) bug CVE-2026-41091; one of the six disclosed outside of formal channels by an security researcher posting as “Chaotic Eclipse” who is widely understood to be a former Redmond employee – and who has been named widely.

Hours after Patch Tuesday’s fixes landed, they posted a fresh vulnerability dubbed “RoguePlanet”; a race condition EoP bug in Defender affecting Windows 11, 10, and Server installations. The POC works for Windows, but not currently for Server, they said, claiming to have run out of steam on it.

(The security researcher’s GitHub repositories with various POCs was removed from the internet by Redmond. The researcher, who is locked in a deep dispute with Microsoft, has now published them anew to a fresh repository. The Stack is sharing them to help keep defenders informed.)

See also: Microsoft looks to turn down temperature amid ongoing "Nightmare Eclipse" spat

Another highlight is a CVSS 9.8, pre-auth RCE Windows Kernel (gulp) bug tracked as CVE-2026-45657. The vulnerability lets a remote attacker execute code as SYSTEM without user interaction. Redmond says exploitation involves triggering “a flaw in how the Windows kernel processes certain TCP/IP data.” It found it internally and says exploitation is “less likely.”

(A recent Red Team report by Anthropic suggested that its Mythos Preview model developed exploits for 18 of 21 Microsoft bugs it tested – 14 of them had been marked “Exploitation Less Likely" or "Exploitation Unlikely.")

Rapid7’s Adam Barnett also flagged the following: CVE-2026-49975 aka “HTTP2/bomb” and CVE-2026-42902, an EoP bug in “PowerToys.”

He said: “Microsoft has not yet directly addressed another HTTP/2 vulnerability which allows trivial denial-of-service against the default HTTP/2 configuration of multiple web server platforms, including Microsoft IIS.

“CVE-2026-49975, also known as HTTP/2 Bomb, became public knowledge a week ago. This denial of service works by exhausting memory on the target server, and unlike a distributed denial of service attack, there is no requirement that an attacker control a large amount of bandwidth. Patches are available for NGINX and Apache, with IIS presumably to follow at some point. If practically possible, disabling HTTP/2 is a valid mitigation…”

Barnett added that the Microsoft PowerToys utility provides a wide variety of control and configuration options for Windows power users… [and] an undocumented extra: local elevation of privilege to SYSTEM via CVE-2026-42902: “It is worth noting that the fix was included in PowerToys v0.99.1 on April 29, 2026, without any apparent mention in the release notes. Attackers with patch-diffing toolkits may well take note of this discrepancy."

The link has been copied!