If Patch Tuesday were a gym, June was the month Microsoft skipped leg day and then tried to squat the entire rack at once. The tally for this round: 206 vulnerabilities fixed in a single release. That's not a security update, that's a moving sale.

Two Bugs You Should Fear

Buried in that pile of 206 are 37 Critical vulnerabilities and three publicly disclosed zero-days, but two flaws stand out for sheer menace. CVE-2026-45657 is a Windows Kernel remote code execution bug with a CVSS score of 9.8, built from use-after-free and heap-overflow flaws that let an unauthenticated attacker run code with SYSTEM privileges. No clicking required.

Its evil twin is CVE-2026-47291, a 9.8-rated HTTP.sys flaw stemming from integer overflow and heap-based buffer overflow. It lets remote attackers execute code on affected servers with zero user interaction, which is a fancy way of saying the server gets owned while everyone's at lunch.

Wormable Is the Scary Word

The term security teams dread is wormable, and a 9.8 unauthenticated kernel RCE is exactly the kind of bug that earns it. Wormable means an attacker doesn't need to trick a human. Malware can hop from machine to machine on its own, the way WannaCry turned a single foothold into a global headline back in the day.

The uncomfortable truth is that the clock starts the moment these advisories go public. Attackers reverse-engineer patches to build exploits, and unpatched systems become a countdown. The 206 number is impressive, but the only number that matters is how many of them you've actually installed.

Patch Now, Panic Later

Three zero-days means at least three of these were already known before the fix shipped, so this isn't theoretical homework. It's the kind of update you apply before reading the rest of this sentence.

Microsoft did the hard part by finding and fixing 206 holes. The easy part, clicking update, is somehow still the step everyone skips. Don't be the cautionary tale in next month's breach report.

Source: CrowdStrike