Microsoft released its largest-ever Patch Tuesday security update on June 9, 2026, fixing a record 206 vulnerabilities across Windows and other Microsoft products — shattering the previous monthly high and signaling a new era of AI-amplified bug discovery.
The update includes fixes for three publicly disclosed zero-day vulnerabilities, all rated "Exploitation More Likely" by Microsoft, along with a raft of critical remote code execution flaws. A self-described former Microsoft employee who goes by the alias "Nightmare Eclipse" has threatened to release additional exploits next month.
Three Zero-Days Patched
The most notable zero-day fixed this month is CVE-2026-49160, a denial-of-service vulnerability in Windows HTTP.sys — the kernel-level driver that powers Internet Information Services (IIS) and numerous applications relying on HTTP communications. The flaw is linked to the HTTP/2 Bomb technique, where a small crafted request forces servers to expand data disproportionately, exhausting system resources. An exploit for this vulnerability was submitted by OpenAI's Codex AI coding assistant.
The second zero-day, CVE-2026-45586, is an elevation-of-privilege flaw in the Windows Collaborative Translation Framework — the CTFMON process managing text input and language services. It shares infrastructure with the publicly released "GreenPlasma" exploit and can elevate attackers to SYSTEM-level access.
The third zero-day, CVE-2026-50507, bypasses BitLocker full-disk encryption protections. Dubbed the "YellowKey" exploit, it requires physical access to a device but defeats enterprise data-at-rest protections entirely — a critical risk for lost or stolen laptops.
The Nightmare Eclipse Saga
Two of the three zero-days are linked to Nightmare Eclipse, a pseudonymous security researcher who claims to be a former Microsoft employee. The alias, referencing the rogue researcher character from the Resident Evil game series, has become a flashpoint in the security community.
Nightmare Eclipse has pledged a "bone shattering" release of additional Windows zero-day exploits on July 14 — the date of next month's Patch Tuesday. Immediately after Microsoft released June's patches, the researcher published an exploit for a claimed unpatched Windows Defender zero-day.
Microsoft faced backlash last month after initially stating it would consider legal action against the researcher, later clarifying it would only report researchers to authorities if they break the law.
AI Is Driving the Vulnerability Flood
Security experts say this record-breaking patch volume is not a one-off. Satnam Narang, senior staff research engineer at Tenable, told Krebs on Security that widespread AI adoption for vulnerability discovery is the primary driver: "Some surveys put AI usage among security professionals generally at 90%, so it's unsurprising that this volume of patches may be the norm."
Beyond the official 206 count, 360 browser vulnerabilities were also patched this month — an order of magnitude higher than typical monthly counts. Microsoft has stopped enumerating Chromium CVEs in its public Security Update Guide due to the sustained surge in browser flaws.
What You Should Do
Security teams should prioritize the HTTP.sys vulnerabilities for internet-facing systems first, then address the BitLocker bypass for mobile devices. With a researcher threatening to drop more exploits in July, delaying updates is no longer a viable strategy.
Top comments (0)