Microsoft Patches Record 206 Flaws Including 3 Zero-Days and Critical RCE Bugs

Microsoft released fixes for a record 206 security vulnerabilities on Tuesday as part of its June 2026 Patch Tuesday cycle, including three publicly disclosed zero-day flaws. Of the total, 39 are rated Critical and 167 Important in severity. The breakdown includes 63 privilege escalation bugs, 56 remote code execution (RCE) flaws, 30 information disclosure issues, 27 spoofing vulnerabilities, 20 security feature bypasses, seven denial-of-service bugs, and three tampering flaws. The release also covers two non-Microsoft CVEs affecting Windows Kernel and UEFI Secure Boot, in addition to over 350 Chromium flaws addressed in Microsoft Edge.

Topping the list is CVE-2026-45657, a use-after-free vulnerability in the Windows Kernel carrying a CVSS score of 9.8. Microsoft warned that an attacker could exploit it by sending specially crafted network traffic to a vulnerable system, allowing code execution at system-level privileges without authentication or user interaction. Two other Critical RCEs include CVE-2026-47291 (CVSS 9.8), an integer overflow in Windows HTTP.sys, and CVE-2026-44815 (CVSS 9.8), a stack-based buffer overflow in the Windows DHCP Client. "This flaw needs no credentials or user action and can turn network traffic into a full system compromise," said Alex Vovk, CEO and co-founder of Action1, urging admins to prioritize DHCP-handling systems. Admins should run a port scanner to identify exposed services and an SSL/TLS checker to verify encrypted channels remain properly configured after patching.

Among the three publicly disclosed zero-days, CVE-2026-45585 (CVSS 6.8) is a Windows BitLocker security feature bypass for which researcher Chaotic Eclipse (aka Nightmare-Eclipse) released a proof-of-concept exploit called YellowKey last month. Additional security feature bypasses addressed this month include CVE-2026-45655 (CVSS 5.3), CVE-2026-45658 (CVSS 7.8), and CVE-2026-50507. The remaining zero-days and publicly disclosed flaws underscore the urgency of timely patching, particularly for systems exposed to network-borne attacks. Security teams should also verify credential hygiene across patched endpoints using a password checker to ensure no weak or compromised credentials remain in use.

With such a large volume of fixes, organizations are advised to prioritize the Critical RCE vulnerabilities and any zero-days relevant to their environment, then move to privilege escalation and security feature bypasses. Microsoft recommends applying updates immediately, especially for internet-facing systems running DHCP services, Windows Kernel components, or BitLocker. Organizations that have not yet inventoried their patch status should consider running a privacy checkup across the environment to identify misconfigurations that could amplify the impact of these newly disclosed flaws.