Every second Tuesday of the month, system administrators across the world develop a nervous tic. This June, that tic upgraded to a full-blown stress response.
Microsoft's June 2026 Patch Tuesday is officially the largest in the program's 23-year history, eclipsing every previous monthly release since the initiative launched in October 2003. Final count: 200 vulnerabilities patched across Windows, Exchange Server, NTFS, Hyper-V, BitLocker, Bluetooth drivers, Boot Manager, Copilot, and more. Among those, 33 are rated Critical — 28 of which are remote code execution flaws allowing attackers to run arbitrary code on unpatched systems. Add in 65 elevation-of-privilege vulnerabilities, 30 information disclosure bugs, and 27 spoofing flaws, and you have less a patch list and more a vulnerability taxonomy.
Six of the bugs are zero-days, with five publicly disclosed before patches were available. The one actively exploited in the wild is CVE-2026-42897: a spoofing vulnerability in Microsoft Exchange Server. Exchange being under active attack is, at this point, practically a quarterly tradition. The other zero-days include two BitLocker security feature bypass flaws — CVE-2026-45585 ("YellowKey") and CVE-2026-50507 ("Bitskrieg") — an HTTP.sys denial-of-service vulnerability triggered via HTTP/2 bomb, and an elevation-of-privilege bug in Windows Collaborative Translation Framework. Security researchers have clearly been having fun with codenames, which at least makes the patch notes more readable.
The scale matters beyond the usual "patch your stuff" message. Two hundred vulnerabilities in a single drop means most organizations will have to triage and prioritize rather than patching everything at once — and attackers know this. The Exchange zero-day being actively exploited suggests threat actors had a window while admins managed their patch queues. The 28 Critical RCE flaws represent a large blast radius for any organization running unpatched Windows infrastructure.
The sysadmin community deserves acknowledgment: every Patch Tuesday they absorb Microsoft's backlog of fixes and ship them against change management timelines, approval boards, and test environments. This month they absorbed two hundred at once. Go say something kind to your sysadmin — they earned it.
Source: Bleeping Computer