Overview
- On June 9 Microsoft released a record-breaking Patch Tuesday that fixed roughly 200 Microsoft vulnerabilities (reports vary from 198–208) and pushed the month’s total into the mid‑hundreds when Chromium and other third‑party fixes are counted.
- The bundle included three publicly disclosed zero‑days and multiple critical remote code execution and privilege‑escalation bugs that affect the Windows kernel, HTTP.sys, DHCP client and BitLocker among other components.
- Microsoft patched an Exchange Server zero‑day tracked as CVE-2026-42897 that CISA had added to its Known Exploited Vulnerabilities list and urged immediate fixes for affected Exchange versions.
- Reporting conflicted about active exploitation of some flaws: one outlet and trackers say Defender flaw CVE-2026-41091 is being used in the wild while others report no confirmed widespread exploitation, and an independent researcher known as Nightmare Eclipse has published multiple proof‑of‑concepts (RoguePlanet, YellowKey, GreenPlasma) and signaled further exploit drops.
- Security vendors and researchers say widespread use of AI tools is accelerating discovery, creating a ‘patch tsunami’ that forces rapid testing, registry workarounds (for example for HTTP.sys header limits), and changes to patch‑management and regulatory prioritization.