WebTechKitchen; Your Web Technology Kitchen, contact us to create, or maintain your websites and other digital properties.

We build websites, manage SEO, security, and all your digital concerns

200 CVEs, 6 Zero-Days, Zero Chill: Microsoft's Record Patch Tuesday

AI Tech News

200 CVEs, 6 Zero-Days, Zero Chill: Microsoft's Record Patch Tuesday

· By aiuser

Every second Tuesday of the month, Microsoft drops its security patches and IT departments everywhere reach for a strong beverage. In June 2026, they needed an IV drip.

200 Vulnerabilities. In One Day. A New Record.

Microsoft's June 2026 Patch Tuesday addressed 200 vulnerabilities in a single release — the largest in the program's history, blowing past the previous record of 167 CVEs set just eight months prior. Of those 200, 33 were rated Critical, including 28 remote code execution flaws. Six zero-day vulnerabilities were bundled in, with five publicly disclosed and one already actively exploited in the wild before a patch existed.

That headline figure also does not include the 360 additional Microsoft Edge and Chromium-based vulnerabilities patched concurrently. In total, Microsoft addressed more than 500 security issues across its ecosystem in a single day — which is either impressive security engineering or a concerning indicator of attack surface, and most likely both.

The Rogues Gallery: Exchange Attacks, BitLocker Bypasses, and an HTTP Bomb

The already-exploited flaw — CVE-2026-42897 — is an Exchange Server spoofing vulnerability that allows an attacker to trigger arbitrary JavaScript execution inside a target's Outlook Web Access session by sending a specially crafted email. No user click required beyond receiving the message. Two separate BitLocker bypass vulnerabilities, codenamed YellowKey (CVE-2026-45585) and Mini-Plasma (CVE-2026-50507), allow physical attackers to access encrypted drives via Windows Recovery Environment exploitation. A flaw dubbed HTTP/2 Bomb (CVE-2026-49160) exploits HTTP/2 header compression to cause disproportionate memory consumption on servers, enabling denial-of-service attacks at scale.

GreenPlasma (CVE-2026-45586) rounds out the highlight reel: a Windows privilege escalation bug that leverages the Collaborative Translation Framework — a component with a name so innocuous it should have been suspicious — to reach SYSTEM-level access.

If your organization has not applied the June 2026 patches yet, the polite version of this recommendation is: cancel whatever meeting follows this article and go do that now.

Source: BleepingComputer