Which flaws should I patch first?

The three zero-days (CVE-2026-50507, CVE-2026-49160, CVE-2026-45586) and the eleven Remote Desktop Client CVEs on all externally reachable systems — ideally within 48 hours.

Are the zero-days already being actively exploited?

No widespread active exploitation was documented at patch time, but the flaws were publicly known. Once attackers analyse the patches, that can change quickly.

Why do outlets cite different counts (198 to 206)?

Counting methods differ depending on whether browser CVEs and third-party components are included. Microsoft's Security Update Guide is the authoritative source.

What does the HTTP/2 Bomb have to do with AI?

The underlying attack technique was described in June 2026 by researchers at the firm Calif and exemplifies how AI-assisted analysis makes weaknesses in old protocols faster to find.

Patch Tuesday June 2026: 200 flaws, 3 zero-days

What this is about

For its June 2026 Patch Tuesday (held as usual on the second Tuesday of the month, 9 June, with trade-press analyses following on 10 June), Microsoft released security updates for around 200 vulnerabilities. Outlets such as BleepingComputer and The Cyber Express rate the round as the largest single Patch Tuesday release in the programme's history. It includes 33 flaws rated critical and three zero-days that were publicly known before the patch.

A side note that matters: counts across security media vary between 198 and 206 vulnerabilities, depending on whether browser and third-party CVEs are included. That doesn't change the record-month classification.

What the three zero-days actually mean

CVE-2026-50507 is a security feature bypass in Windows BitLocker. Attackers can circumvent drive encryption — but only with physical access to the device. This mainly concerns stolen or lost laptops, not network attacks.

CVE-2026-49160 is a denial-of-service flaw in HTTP.sys, the core web server driver in Windows. Behind it is the "HTTP/2 Bomb" publicly described in June 2026 by researchers at offensive security firm Calif, which abuses how the HTTP/2 protocol compresses and manages headers. We covered the wider phenomenon — AI-assisted analysis surfacing weaknesses in old protocols faster — on 7 June 2026.

CVE-2026-45586 affects the Windows CTFMON process and allows privilege escalation up to SYSTEM level — the classic move attackers use to take full control after initial access.

Beyond the zero-days, the round contains 54 remote code execution flaws. Notably affected: the Remote Desktop Client with eleven CVEs in a single month, plus Hyper-V and Microsoft Office with several critical RCE patches. In parallel, Windows 10 received the extended security update KB5094127.

Why it matters

The volume itself is part of the news. Security teams have to prioritise, test and roll out more patches in a single cycle than ever before — while three publicly known flaws mean exploit knowledge is already circulating. The trend toward ever-larger patch rounds also fits the picture vendors like Cisco painted in early June 2026: AI-assisted vulnerability research is accelerating the pace at which flaws are found and reported — on both the attacker and defender side.

In plain language

A patch day is like the day a caretaker replaces all the broken locks in a building. This time the list was longer than ever: 200 locks, three of which burglars already knew were faulty. Whoever fits the new locks quickly is safe — whoever waits leaves the door open even though copies of the key are already in circulation.

A practical example

A logistics company in Germany's Ruhr region runs 1,200 Windows clients, 80 servers and remote desktop access for 200 field staff. A sensible order this week: first the three zero-days and the eleven Remote Desktop CVEs on all externally reachable systems — target: 48 hours. Then the critical Hyper-V and Office flaws on servers and workstations within seven days. The BitLocker flaw ranks high for the field staff's notebooks, because theft is the realistic scenario there. Estimated effort: two person-days for prioritisation and staging; the rest runs through update distribution.

Scope and limits

Three caveats. First: "publicly disclosed" does not mean "actively exploited" — no widespread exploitation of the three zero-days was documented at patch time; that can change within days once patch diffing begins. Second: the numbers vary across sources (198 to 206 CVEs); anyone needing exact compliance reports should treat Microsoft's Update Guide as the authoritative source. Third: patching only protects managed systems — legacy machines without extended support and unmanaged devices remain the real risk, and even the biggest patch day does nothing against misconfigurations.

SEO & GEO keywords

Microsoft Patch Tuesday June 2026, zero-day, CVE-2026-50507, CVE-2026-49160, CVE-2026-45586, BitLocker bypass, HTTP/2 Bomb, HTTP.sys, CTFMON, Remote Desktop Client, Hyper-V, patch management, Windows 10 ESU KB5094127

Microsoft's record Patch Tuesday fixes 200 flaws and three zero-days