Microsoft June Patch Tuesday: Record 200 Security Flaws Patched

Microsoft released nearly 200 security patches for Windows and supported software in its latest Patch Tuesday, a record for the company. According to Satnam Narang, a senior staff research engineer at Tenable, the integration of artificial intelligence tools by both engineers and security professionals is driving this surge in bug discovery, signaling a new baseline for software vulnerability management.

Why is the number of software vulnerabilities increasing?

The volume of security fixes is rising because AI tools now automate the discovery of software flaws. Satnam Narang of Tenable notes that some surveys place AI usage among security professionals at 90%. This shift means the record-breaking number of patches seen this month may become the standard for future update cycles.

Concrete evidence of this trend appeared in the June updates. Microsoft reported that OpenAI’s Codex discovered CVE-2026-49160, a denial of service vulnerability affecting web servers including Microsoft Internet Information Services (IIS).

Did you know? Microsoft’s own internal infrastructure isn’t immune. Last week, at least 72 of the company’s public code repositories were infected with a variant of the Shai-Hulud worm, specifically targeting packages connected to the Azure Durable Task SDK.

How do browser flaws differ from standard OS patches?

There is a significant gap between official Patch Tuesday counts and the total number of vulnerabilities addressed. Adam Barnett of Rapid7 reports that Microsoft provided patches for 360 browser vulnerabilities this month, a figure an order of magnitude higher than typical monthly averages over recent years.

These browser flaws are not included in the primary Patch Tuesday tally. According to Barnett, the sustained uptick in Chromium-based vulnerabilities has led Microsoft to stop enumerating Chromium CVEs in its Security Update Guide entirely.

Comparison of June Vulnerability Volumes

Category	Approximate Fixes	Source
Windows OS/Software	~200	Microsoft
Browser Flaws	360	Rapid7
Google Chrome	429	Google

What is the impact of rogue researchers like Nightmare Eclipse?

The relationship between software vendors and the security community is becoming strained. A researcher using the pseudonym “Nightmare Eclipse” has released several exploits, including “GreenPlasma,” which targets an elevation of privilege weakness in the Windows Collaborative Translation Framework (CVE-2026-45586).

View this post on Instagram about Nightmare Eclipse

From Instagram — related to Nightmare Eclipse

Nightmare Eclipse also released “YellowKey,” an exploit for a BitLocker vulnerability (CVE-2026-50507) that lets attackers with physical access view encrypted data. This researcher claims to be a former Microsoft employee, though Microsoft has not confirmed this. Rapid7 noted the researcher uses imagery of Albert Wesker, a fictional “rogue” researcher from the Resident Evil series.

Tensions peaked last month when Microsoft suggested legal action against the researcher in a blog post. The company later clarified on X (formerly Twitter) that it does not intend to sue researchers unless they break the law. Despite this, the advisories for CVE-2026-49160 and CVE-2026-50507 do not credit any specific researchers.

Pro Tip: Always back up your critical data before applying operating system updates. While patches fix holes, update failures can occasionally lead to system instability or data loss.

How are other tech giants reacting to these security trends?

The trend of outsized update bundles extends beyond Microsoft. Adobe recently released a massive set of updates to fix critical vulnerabilities in Acrobat Reader, Cold Fusion, and Adobe Experience Manager. Similarly, Google resolved 429 vulnerabilities in a Chrome browser update on June 3.

Microsoft Patch Tuesday Record: 206 Fixes, 3 Zero-Days | Ivanti, Fortinet, SAP & ServiceNow

This pattern suggests a broader industry shift. As AI-driven bug hunting becomes more accessible, the window between a vulnerability’s creation and its discovery is shrinking. This forces companies to push more frequent and larger updates to stay ahead of exploit code that often becomes public quickly.

Frequently Asked Questions

What is a zero-day vulnerability?

A zero-day is a security hole that is known to attackers before the software vendor has a patch available, leaving the vendor with “zero days” to fix it before it can be exploited.

Why is AI making software less secure?

AI doesn’t necessarily make software less secure, but it makes finding flaws faster. According to Tenable, both defenders and attackers are using AI, which increases the volume of bugs discovered and the speed at which exploits are written.

Should I be worried about the “Nightmare Eclipse” exploits?

Users should ensure their systems are fully updated. The exploits mentioned, such as those for BitLocker and the Translation Framework, are addressed in the latest Microsoft security updates.

Do you have questions about this month’s patches or encounter issues after updating? Let us know in the comments below or subscribe to our newsletter for the latest security alerts.