Microsoft Patches Record 206 Flaws, Including Three Zero Days and Critical RCE Bugs

Microsoft on Tuesday released fixes for a record 206 security vulnerabilities affecting its software portfolio, including three flaws that were publicly disclosed at the time of release.

Of the 206 errors, 39 were rated critical, and 167 were rated serious. This includes 63 privilege escalations, 56 wild code exploits, 30 information disclosures, 27 frauds, 20 security feature bypasses, seven denial of service attacks, and three vulnerabilities.

The patches also include two non-Microsoft CVEs, an escalation of privilege vulnerability affecting the Windows Kernel (CVE-2025-10263) and a UEFI Secure Boot security feature (CVE-2026-8863). They add to the more than 350 security flaws that Google has fixed in Chromium, which is used in Microsoft’s Edge browser.

Topping the list of fixes is CVE-2026-45657 (CVSS score: 9.8), a post-freeware vulnerability affecting the Windows Kernel that could result in remote code execution.

“An attacker could exploit this vulnerability by sending specially crafted network traffic to a vulnerable Windows system,” Microsoft said. “If successful, malicious network packets can cause a flaw in the way the Windows kernel processes certain TCP/IP data, potentially allowing an attacker to execute code with system-level privileges without requiring login or user interaction.”

Some important risks of note are listed below –

• CVE-2026-47291 (CVSS Score: 9.8) – Full overflow or flaw in Windows HTTP.sys that allows an unauthorized attacker to execute code on a network.
• CVE-2026-44815 (CVSS Score: 9.8) – A stack-based buffer overflow vulnerability in the Windows DHCP Client allows an unauthenticated attacker to execute code on a network.

“This flaw requires no symptoms or user action and can turn network traffic into a full system compromise,” said Alex Vovk, CEO and co-founder of Action1, about CVE-2026-44815. “An attacker can send specially crafted network traffic to a system configured for DHCP services.”

“Successful exploitation may allow unauthorized use of code in the network with significant impact on privacy, integrity, and availability. This vulnerability poses a significant risk because DHCP is a core network function. Successful exploitation may involve server corruption, malware release, data theft, service interruption in the DH network, and deep CP manager should be treated as system traffic. Patches are very important.”

Microsoft has also released patches to address CVE-2026-45585 (CVSS score: 6.8), a Windows BitLocker security feature that bypasses the vulnerability in which a proof-of-concept (PoC) called YellowKey was released by security researcher Chaotic Eclipse (also known as Nightmare-Eclipse) last month.

CVE-2026-45585 is one of several security vulnerabilities that Windows developers have faced this month –

“A successful attacker could bypass the BitLocker Device Encryption feature on a system storage device,” Microsoft said in its advisory on the three issues. “An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.”

According to security researcher Will Dormann, CVE-2026-50507 is tested to be a BitLocker bypass fix called bitskrieg that provides full access to encrypted data. It is noted that CVE-2026-50507, along with CVE-2026-49160 and CVE-2026-45586, are listed as publicly disclosed zero days.

• CVE-2026-45586 (CVSS score: 7.8) – Windows Collaborative Translation Framework (CTFMON) has a privilege escalation vulnerability
• CVE-2026-49160 (CVSS score: 7.5) – HTTP.sys denial of service vulnerability

CVE-2026-49160 is related to HTTP2/Bomb, an attack method that can be used to knock web servers offline in seconds. In tests performed by Calif, an IIS server was found to drain 64 GB of RAM in about 45 seconds. To mitigate the attack, Microsoft introduced a new “MaxHeadersCount” registry setting to limit the number of headers in HTTP/2 and HTTP/3 requests.

“Limiting HTTP headers can help protect systems and servers from excessive memory usage, high CPU usage, and denial-of-service attacks,” Microsoft said. “Because HTTP/2 (HPACK) or HTTP/3 (QPACK) header compression is used with complex protocol processing, enforcing a header limit such as MaxHeadersCount can help maintain performance and reliability.”

On the other hand, CVE-2026-45586 is suspected to be a fix for a zero-day privilege exploit released by Chaotic Eclipse under the name GreenPlasma.

Finally, the June 2026 update also patched MiniPlasma, a different vulnerability disclosed by Chaotic Eclipse as an incomplete fix for CVE-2020-17103, which was addressed by Microsoft in December 2020.

“To fully address the vulnerability identified by CVE-2020-17103 and recently named ‘MiniPlasma,’ Microsoft recommends that you install the June 2026 updates for your Windows operating systems,” the tech giant said in an update to its advisory.

An increasing number of patches have been attributed to the use of artificial intelligence (AI)-based vulnerability detection methods, which Microsoft says will continue in the future.

“The proverbial Pandora’s box has opened, and as more advanced AI models become available, we expect the trend to continue upward, not just with Patch Tuesday,” said Satnam Narang, senior human resources research engineer at Tenable, in a statement.

Dustin Childs, head of threat awareness at TrendAI’s Zero Day Initiative (ZDI), described Microsoft’s dramatic drop in vulnerability as evidence of how AI is finding major flaws at an uncontrollable rate.

“The current number of CVEs reported by Microsoft this year exceeds the total number of CVEs reported in all of 2018,” Childs said. “It’s surprising that Microsoft can produce so many patches in one month, and I expect that many testers are wondering what quality problems there might be.”

The patches come as Chaotic Eclipse released a PoC exploit for another Microsoft Defender zero-day called RoguePlanet, describing it as a race condition that can be used to issue a Windows command with SYSTEM privileges.