Microsoft ships largest Patch Tuesday on record, with one bug under active attack

Microsoft on Tuesday released fixes for more than 200 security flaws, the largest Patch Tuesday in the program's history in the latest sign of how artificial intelligence is reshaping vulnerability discovery.

Microsoft's monthly release for June listed 206 of its own CVEs, though the company does not promote a single headline figure for the monthly total and trackers apply different methods for deciding what to count.

Trend Micro's Zero Day Initiative (ZDI) counted 208 CVEs from Microsoft and said it was by far the largest monthly release it had ever seen, eclipsing a previous record of 177 set last year. Tenable counted 198, omitting several CVEs they said were resolved through servicing or disclosed by other vendors, but likewise called it the largest release since the program began.

The release day marks the start of a regular cycle for cybersecurity defenders. Once a patch is out, attackers pick it apart in an attempt to reverse-engineer the holes it plugs and then race to break into machines that haven't updated yet.

Microsoft’s security leadership acknowledged last month that AI tools are driving a surge in vulnerability discovery across the industry. Tom Gallagher, vice president of engineering at Microsoft’s Security Response Center, said in a blog post that the company expects Patch Tuesday releases to continue trending larger.

Alongside its May release, Microsoft disclosed an internal system, codenamed MDASH, that it said had independently found 16 of that month's vulnerabilities before any human researcher flagged them. This month, ZDI said one of the publicly disclosed flaws appeared to have been found the same way.

The surge echoes a warning issued in April by Britain's National Cyber Security Centre, which cautioned that organizations should prepare for a wave of urgent updates driven by AI-assisted discovery. ZDI noted that the number of CVEs Microsoft has shipped so far in 2026 already exceeded the total for all of 2018.

The one that could spread on its own

The flaw many researchers find most alarming is yet to be observed in the wild. Tracked as CVE-2026-45657, and rated 9.8 out of 10 in terms of severity, the bug sits deep in the Windows core and would let a remote attacker take full control of a machine with no action from the user.

ZDI described it as “wormable,” meaning an attack could jump from one computer to the next across a network on its own — the same self-spreading quality behind global outbreaks like the 2017 WannaCry attack, which crippled hospitals and businesses worldwide. Microsoft itself rated the flaw “less likely” to be exploited, but ZDI said that offered little reassurance.

The bug lies in how the Windows kernel, the most privileged layer of the operating system, processes network traffic, which is what makes it reachable over a network in the first place. Researchers and exploit developers were already pulling the patch apart to reconstruct the underlying flaw, ZDI said, urging organizations to install the fix without delay.

One bug under attack

One flaw that has been exploited in the wild is tracked as CVE-2026-41091 and rated 7.8 out of 10. The issue affects Microsoft Defender, the antivirus built into Windows. The elevation-of-privilege bug would hand an attacker who already has a foothold on a system the keys to the entire machine.

Microsoft said an attacker could trick Defender into writing a malicious file to a protected location, granting them the highest level of control over the system. The U.S. Cybersecurity and Infrastructure Security Agency had added the bug to its catalog of actively exploited flaws on May 20.

Three zero-day flaws were also disclosed, including a BitLocker bypass tracked as CVE-2026-50507. The issue means that the feature — intended to encrypt the contents of a Windows laptop so a thief who steals it can't read the drive — can be bypassed.

Both of those CVEs are tied to a researcher who goes by the name Nightmare Eclipse and has been locked in a months-long standoff with Microsoft.

The pseudonymous researcher began posting working exploit code for unpatched Windows flaws to GitHub in April, citing grievances that Microsoft had deleted their bug-reporting account — a claim which Microsoft denies — withheld bounty payments and stripped their name from at least one advisory.

Microsoft initially condemned the releases as “never justifiable” and said its Digital Crimes Unit would keep pursuing those who enable cybercrime, before walking back the apparent threat after a backlash from the security community.

Nightmare Eclipse has said more is coming, threatening a fresh release of Windows exploit code on July 14 — the date of the next Patch Tuesday.