Microsoft has issued patches for about 200 flaws in its latest monthly Patch Tuesday drop, blasting past a previous record high of almost 170 common vulnerabilities and exposures (CVEs) set in October 2025.
Among a great many others, the latest update from Redmond fixes a total of 32 critical CVEs and three zero-day flaws.
Dustin Childs, head of threat awareness at TrendAI’s Zero Day Initiative, said: “We are heading into a high-stakes summer for cyber security. June’s record-shattering drop … is a stark warning that AI is supercharging flaw discovery at an uncontrollable scale. The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018. It is extraordinary that Microsoft can produce so many patches in a single month, and I expect many testers are wondering what quality issues may exist.”
And with the addition of hundreds of CVEs in Google Chrome and Microsoft Edge (Chromium) and other third-party flaws taking the total to almost 600, Chris Goettl, vice president of security product management at Ivanti, said talk of a ‘Patch Apocalypse’ was no longer unwarranted.
“We are in the Patch Apocalypse. The Patch Apocalypse is now,” said Goettl. “This is not intended to be a scare tactic. It is meant to outline the challenge that many organisations were anticipating, but the new generation of LLMs [Large Language Models] has accelerated significantly in the first half of 2026.
“There are going to be more CVEs resolved by vendors at a faster and more continuous pace than we have ever seen previously. Unfortunately, this will also include more zero-day and n-day exploits than previously seen as well. The window from release from a vendor to exploitation had already shortened to five days as of 2023 threat intelligence data.”
Goettl said that many suppliers have acknowledged the need to use AI tools in their security research to identify and resolve flaws, with Oracle, Google Chrome and Mozilla all upping the cadence of their updates. Whether or not Microsoft follows suit remains to be seen.
Zero-days
This month’s zero-days are tracked as follows, in numerical order:
- CVE-2026-45586, an elevation of privilege (EoP) flaw in Windows Collaborative Translation Framework (CTFMON);
- CVE-2026-49160, a denial of service (DoS) flaw in HTTP.sys;
- And CVE-2026-50507, a security feature bypass (SFB) flaw in Windows BitLocker.
All three of these flaws carry CVSS ratings of between six and eight, and all three have been reported publicly, but are not yet known to have been exploited.
Alex Vovk, CEO and Co-Founder of Action1, explained how CVE-2026-45586 could enable a local, authenticated attacker to gain system-level privileges with ease.
“The issue is caused by improper link resolution before file access, also known as link following. A low-privilege foothold can become full system control when Windows follows the wrong link at the wrong time,” said Vovk.
“System access can allow malware installation, defense evasion, credential theft, data modification, and deeper movement across the environment. For businesses, this can increase the impact of phishing, stolen credentials, or compromised standard user accounts.
“This patch should be prioritised. Even though active exploitation is not reported, this type of bug can turn a minor local compromise into full endpoint control,” he added.
Meanwhile, CVE-2026-49160 in HTTP.sys stems from an uncontrolled resource consumption issue that could allow an unauthenticated threat actor to cause a DoS over the network.
“While the vulnerability does not expose data or allow code execution, it can disrupt services that depend on affected Windows systems,” said Action1 president and co-founder Mike Walters.
“Successful exploitation could disrupt web services, internal applications, APIs [application programming interfaces], and business systems that rely on affected Windows HTTP services. Outages may lead to downtime, failed transactions, loss of productivity, customer impact, and increased operational response costs.”
With exploitation considered more likely, CVE-2026049160 is another prime candidate for prioritisation, particularly since it is both network-accessible and requires zero authentication.
Finally, CVE-2026-50507 in Windows BitLocker – arising from a protection mechanism failure in how BitLocker handles device encryption – enables an attacker to access encrypted, stored data with no need for credentials, if they have physical access to the device.
While the need for physical access will be an effective blocker for many attackers, the potential impact is significant, as Action1 vulnerability research director Jack Bicer noted.
“BitLocker is commonly relied upon to protect sensitive business and personal data when devices are lost, stolen, or accessed by unauthorised individuals,” he said. “A successful bypass undermines this security control and can expose confidential business information, customer data, intellectual property, financial records, and regulated data.
“In environments where endpoint encryption is a compliance requirement, exploitation could result in regulatory exposure, breach notification obligations, reputational damage, and financial losses.”
Businesses with dispersed mobile estates and plentiful remote or hybrid workers should prioritise the fix for CVE-2026-50507, said Bicer.
