Microsoft's June 2026 security update addressed a record 206 vulnerabilities across its software ecosystem, marking one of the largest single-month patch releases in its history. The fixes include 39 critical-severity flaws, among them three zero-days actively exploited before the patch. Top vulnerabilities include CVE-2026-45657, a remote code execution flaw in the Windows Kernel with a CVSS score of 9.8, which could allow attackers to execute system-level code via malicious network traffic without authentication.

Other significant flaws include CVE-2026-44815, a buffer overflow in the Windows DHCP Client that enables remote code execution, and CVE-2026-45585, a BitLocker security bypass with a public proof-of-concept exploit called YellowKey. The update also resolves CVE-2026-49160, linked to the HTTP2/Bomb attack that can crash servers in seconds by exhausting memory, and CVE-2026-45586, suspected to patch a privilege escalation exploit known as GreenPlasma.

The surge in disclosed vulnerabilities is attributed to AI-assisted discovery tools, which are accelerating the rate at which security flaws are found. Experts note that the volume of CVEs in 2026 already exceeds Microsoft’s total for 2018. The update also resolves MiniPlasma, an incomplete fix from 2020, underscoring the long-term risks of partial patches. Organizations are urged to prioritize systems handling network services like DHCP and HTTP.