The Record Falls: The Largest Patch Tuesday in History, Four Weeks Before the Wave.

June 2026 Patch Tuesday arrived today as the largest monthly security release Microsoft has ever shipped. Depending on whose methodology you follow, the core count lands at roughly 200 CVEs, and the total reaches 571 when Chromium and third-party fixes are included. The release contains three CVSS 9.8 remote code execution flaws and a boot-integrity cluster spanning Secure Boot, UEFI, and BitLocker. Adobe more than doubled its May output with 123 CVEs, including two perfect CVSS 10.0 scores in a single bulletin. We updated our monthly analysis with verified June data alongside the full April and May record.

This is the third edition of the Brinqa Research Team monthly vulnerability landscape analysis. For new readers, the background: on April 7, Anthropic announced Project Glasswing and Claude Mythos Preview, a model capable of autonomously finding and chaining zero-day vulnerabilities at a scale and speed that previously required elite human researchers. Access was restricted to a closed coalition of roughly 50 organizations including Microsoft, Google, Apple, Cisco, CrowdStrike, and Palo Alto Networks, with a mandate to use it defensively. The April edition covered the initial patch surge. The May edition documented the new elevated floor and the first appearance of AI tooling as a patch category.

In May we wrote that two consecutive months above the old norm were starting to look like a new operating range. June removes the ambiguity. The release that landed today is not a return toward baseline. It is the largest Patch Tuesday on record by every counting methodology in use, it contains three separate unauthenticated remote code execution flaws at CVSS 9.8, and it arrives with the coordinated Mythos disclosure window now approximately four weeks out. The next Patch Tuesday, July 14, will land roughly a week after Anthropic’s 90-day Glasswing report is due.

Here is the verified monthly data and what it means for your exposure management program.

The Numbers: June Takes the Record Outright

Each month we pull vendor advisory data and cross-reference it against independent analysis from Tenable, Qualys, CrowdStrike, Rapid7, BleepingComputer, and the Zero Day Initiative. The counting methodologies vary across sources, and June is the month where that divergence matters most, so we note each count explicitly.

Microsoft: Every Methodology Confirms the Largest Release Ever

The core counts for June: Tenable confirms 198 CVEs (32 Critical, 166 Important). BleepingComputer counts 200, including 33 Critical flaws, 28 of them remote code execution. CyberScoop reports 206. ZDI’s Dustin Childs, who has counted Patch Tuesday CVEs since 2017, puts the number at 208 and notes Microsoft’s own tooling appeared to misfire, initially including a 2020-era CVE in the release. Whichever methodology you prefer, every one of them lands at or above the previous all-time high. And when Chromium and other third-party bugs are folded in, ZDI’s total for June reaches a staggering 571 CVEs.

The trendline through six months of 2026 now reads:

Core counts follow BleepingComputer’s day-of-release methodology for month-over-month consistency. Tenable, ZDI, and CyberScoop counts for June (198, 208, and 206 respectively) reflect differing inclusion rules for cloud-service and previously released CVEs.

The Q1 monthly baseline was 84 core CVEs. June lands at roughly 2.4 times that baseline. Three of the last three months now sit far above the pre-April norm, and the data has answered the question we posed in April about whether this was a shock or a new operating range. Childs also noted that Microsoft’s CVE output through just the first half of 2026 has already surpassed everything the company published across the entirety of 2018, and he raised the questions Microsoft has not yet answered: how many of these flaws were found with AI tools, how many patches were generated or tested with AI assistance, and what quality risks that introduces at this velocity.

The browser column deserves its own paragraph. In May we flagged that browser CVEs rose 60% even as core counts fell. In June, the Edge/Chromium stream hit 360 fixes, nearly triple May’s 128, pushed through by Google and mirrored by Microsoft outside the Patch Tuesday release. Total patching workload, core plus browser, was 247 in April, 248 in May, and roughly 560 in June. For remediation teams, the workload more than doubled in a single month.

One Exploited Flaw, Three Publicly Disclosed, and a Researcher Feud With a Deadline

One vulnerability in this cycle is under active exploitation: CVE-2026-41091, an elevation of privilege flaw in Microsoft Defender, originally patched out-of-band on May 19. ZDI’s read of the acknowledgments, which credit multiple independent parties, suggests exploitation is not isolated. The mitigating factor is that Defender updates itself for most deployments. The exposure concentrates in isolated and air-gapped environments where definition and platform updates require manual action. If you operate those environments, this is the first item on the list.

Three additional flaws were publicly known before today’s patches:

• CVE-2026-45586: Windows Collaborative Translation Framework (CTFMON) elevation of privilege. A link-following flaw that grants SYSTEM to a local authorized attacker. CVSS 7.8.
• CVE-2026-50507: Windows BitLocker security feature bypass. An attacker with physical or local access can circumvent full-disk encryption, the control many organizations treat as the last line of defense for lost or stolen devices.
• CVE-2026-49160: HTTP.sys denial of service affecting the HTTP/2 stack, rated Exploitation More Likely. ZDI notes the acknowledgments suggest this flaw may have been found using AI.

The BitLocker bug carries a storyline worth watching. ZDI links CVE-2026-50507 and CVE-2026-45585 to the ongoing public dispute between the researcher known as Nightmare Eclipse and MSRC. These appear to be the fixes for the “YellowKey” and “GreenPlasma” bypasses disclosed during that feud. (Tenable’s analysis associates CVE-2026-50507 with a bypass dubbed “Bitskrieg.” Sources differ on the naming, though not on the boot-path risk.) The researcher has publicly threatened a further exploit release on June 14, five days from now. Four BitLocker bypasses were patched today in total. Organizations with meaningful fleets of mobile or field devices should treat the boot-and-encryption cluster in this release as a single campaign rather than a set of low-priority physical-access bugs.

Three CVSS 9.8s: The Wormable Class

Beyond the disclosed flaws, three unauthenticated remote code execution vulnerabilities define the risk profile of this release:

CVE-2026-45657, Windows Kernel RCE (CVSS 9.8). A flaw in the kernel’s TCP/IP handling allowing remote, unauthenticated SYSTEM-level code execution with no user interaction. That combination makes it wormable. Microsoft rates it Exploitation Less Likely. ZDI’s assessment is that every research team and exploit broker is reversing the patch right now, and history sides with ZDI.

CVE-2026-47291, HTTP.sys RCE (CVSS 9.8). Distinct from the disclosed DoS, this is full remote code execution in the HTTP stack that underpins IIS and most Windows web services, rated Exploitation More Likely. There is an important nuance: systems using the default MaxRequestBytes registry value are not affected, and Microsoft’s bulletin includes a PowerShell script to verify and enforce the safe setting. Run that registry check today, then move the patch through your normal critical window.

CVE-2026-44815, DHCP Client Service RCE (CVSS 9.8). The advisory text and CVSS metrics disagree on whether authentication is required. ZDI’s guidance, which we endorse, is to err on the side of the CVSS and treat this as unauthenticated remote code execution against a service present on effectively every Windows endpoint.

Rounding out the high-severity picture: a 9.6 elevation of privilege in Windows TCP/IP, a 9.1 DHCP server tampering flaw, three Hyper-V guest-to-host escape RCEs, a Kerberos KDC code execution bug, eleven Remote Desktop Client RCEs, and ten security feature bypasses impacting Secure Boot. All ten carry scope change in their CVSS vectors, meaning successful exploitation undermines boot integrity guarantees beyond the vulnerable component itself. The bulk of the Secure Boot findings are credited to Alon Leviev, whose prior research in this space produced some of the most consequential boot-path attacks of the last several years. The UEFI-level flaws in that set go a layer deeper still. They require local admin or physical access but allow untrusted code to run before the OS ever loads. Add the Windows Boot Manager bypass with similar impact and June contains an unusually complete toolkit for pre-OS persistence, the rootkit scenario defenders spent a decade engineering out of the platform.

There is also a calming note in the data. CVE-2026-48567, a CVSS 10.0 elevation of privilege in Azure HorizonDB, was already remediated by Microsoft on the service side and is being documented for transparency. The same is true of several other cloud-service CVEs in the release. The highest score in the release requires zero customer action, and recognizing that kind of distinction is exactly what separates exposure management from CVE counting.

AI Tooling Is No Longer a Footnote: Agentic Infrastructure Is Now Attack Surface

In May we flagged the first appearance of AI tooling as a meaningful patch category. June confirms the category and expands it in a direction every security leader should register: the plumbing of agentic AI is now shipping vulnerabilities.

This month’s release includes a Critical remote code execution flaw in M365 Copilot (CVE-2026-45497), a Critical information disclosure in Copilot Chat for Edge, a security feature bypass in the Visual Studio Code Copilot Chat extension enabling authentication impersonation, and a GitHub Copilot/VS Code flaw that discloses a user’s work-account sign-in token, which is a meaningful credential exposure. The most notable of the group is CVE-2026-47281, a CVSS 9.6 elevation of privilege in Visual Studio Code that could allow attackers to gain the permissions of an MCP server’s managed identity.

That last one deserves attention. Model Context Protocol servers, the connective tissue that lets AI agents act on systems, files, and services, are now appearing in Patch Tuesday with identity-takeover-class vulnerabilities. Organizations are deploying agentic AI faster than they are inventorying it, and most vulnerability management programs still do not scope Copilot desktop clients, IDE extensions, AI SDKs, or MCP infrastructure at all. These patches are invisible to a program that does not know the assets exist. As enterprises wire agents into development pipelines and business workflows, the agent layer inherits the same discipline requirements as any other privileged infrastructure: inventory, prioritization, ownership, and validated closure.

What the Security Industry Is Saying

We track analyst and vendor commentary each month alongside the advisory data.

Zero Day Initiative, Dustin Childs (June 9, 2026): Childs confirmed this is by far the largest monthly release since he began counting in 2017, surpassing the previous record set last year. “It is extraordinary that Microsoft can produce so many patches in a single month,” he wrote, while raising concerns about AI’s role in both finding the flaws and producing the patches, the quality risks that follow, and whether sysadmins should restructure prioritization and deployment processes for this volume. Microsoft is not currently providing those answers.

Tenable, Satnam Narang, Senior Staff Research Engineer (June 9, 2026): Narang told CyberScoop that “Pandora’s proverbial box has been opened” and that as more advanced AI models become available, the industry should expect volumes to keep climbing across the board, on Patch Tuesday and beyond it. Tenable’s analysis confirmed 198 CVEs with 32 rated Critical, and flagged CVE-2026-42985 in Remote Desktop Client as the standout Exploitation More Likely assessment among the Critical RCEs.

CyberScoop (June 9, 2026): Matt Kapko’s analysis framed the release as confirmation that long-standing warnings about a flood of defect-riddled software have come true, noting that triple-digit CVE counts now account for half of Microsoft’s monthly releases this year, and that Microsoft designated 15 of this month’s flaws as more likely to be exploited.

The common thread is the same one we identified in April and May, now at higher amplitude. The industry can confirm the volume is structurally elevated and almost certainly AI-driven, but no vendor is yet providing defenders with a framework for operating at this velocity. Adding more scanners does not close the gap between finding more vulnerabilities and knowing which ones matter in your environment. Context closes it.

The Exploitation Picture Between the Releases

The four weeks between May 12 and today were not quiet. Microsoft shipped the actively exploited Defender flaw out-of-band on May 19 and a SharePoint Server RCE (CVE-2026-45659) on May 21. Active exploitation of CVE-2026-42897, a cross-site scripting flaw in Outlook Web Access, was reported and is automatically mitigated by the Exchange Emergency Mitigation Service. If you have disabled EEMS, that mitigation is not protecting you. Today’s release also ships a cluster of Exchange Server spoofing and information disclosure flaws, including an XSS path that runs code in an Exchange administrator’s web session. Given Exchange’s exploitation history, the OWA-adjacent items in this release deserve better than their Important severity labels suggest.

Beyond Microsoft: Google’s June Android bulletin fixed 124 flaws including one under active exploitation, and Google patched another exploited Chrome zero-day this month. Cisco customers are confronting a second SD-WAN zero-day under attack by a persistent threat group. Check Point patched a Remote Access VPN flaw that was exploited in Qilin ransomware operations. Acer warned of two maximum-severity, still-unpatched flaws in Wave 7 routers. The cross-vendor pattern from our first two editions holds. Edge devices, identity surfaces, and remote-access infrastructure remain where exploitation concentrates, regardless of where the CVE volume concentrates.

The structural data has not improved since we cited it in May. Qualys research found 88% of critical actively weaponized vulnerabilities were remediated slower than attackers exploited them, CrowdStrike’s fastest recorded breakout time stands at 27 seconds, and Google M-Trends puts average time-to-exploit for the most serious flaws at minus seven days. Every month of elevated volume widens the denominator those percentages apply to.

The NVD Enrichment Gap: Two Months In, Still Compounding

Since NIST’s April 15 announcement that the NVD can no longer enrich all CVEs, prioritizing only KEV-listed, federal, and EO 14028 critical software, the daily disclosure rate has continued running at approximately 175 CVEs per day. June makes the consequence concrete at the largest scale yet. Roughly 200 Microsoft core CVEs, 360 browser CVEs, and 123 Adobe CVEs entered the ecosystem today, and a meaningful share will reach scanner feeds without enriched severity metadata for organizations that still depend on NVD CVSS as their primary triage signal. Teams that have not yet replaced NVD as their primary severity source are now operating partially blind on the highest-volume releases in history. FIRST’s forecast of 50,000+ CVEs in 2026 looks increasingly conservative. Q1 alone ran 33% above Q1 2025.

The Mythos Countdown: Four Weeks Out, and July Is a Compound Event

The coordinated Glasswing disclosure wave has still not started. Anthropic’s 90-day summary report remains due in early July, and VulnCheck’s tracking continues to show only a single CVE publicly attributable to Glasswing, with Anthropic confirming over 99% of Mythos-found vulnerabilities remain undisclosed. Mozilla’s pre-release run of Mythos against Firefox 150, which surfaced 271 vulnerabilities in a single production codebase, remains the best public proxy for what is queued.

Two developments sharpen the picture this month. First, Anthropic released Claude Fable 5, a generally available model that reporting describes as sharing the underlying Mythos-class capability with additional safety measures. That release signals Mythos-class discovery capability beginning to diffuse beyond the original closed coalition, on the defensive side first and, eventually, beyond it. Second, the calendar: the 90-day report is due around July 6, and the next Patch Tuesday is July 14, historically one of the year’s largest releases as vendors clear the decks before Black Hat and DEF CON. If coordinated Glasswing disclosures begin moving in early July, they will land directly on top of an already-heavy scheduled release. July is shaping up to be a compound event, and the time to pressure-test intake, triage, and routing for it is the next four weeks.

Beyond Microsoft: Adobe More Than Doubles Its Output

Adobe shipped 11 bulletins addressing 123 unique CVEs in June, up from 52 in May, across Acrobat Reader, ColdFusion, Experience Manager, Experience Manager Forms, InDesign, InCopy, Substance 3D Sampler, Content Credentials SDK, Dreamweaver, Format Plugins, and Campaign Classic.

The headline is Campaign Classic: a two-CVE bulletin in which both flaws carry a perfect CVSS 10.0 and a Priority 1 deployment rating. A single 10.0 is rare. Two in one bulletin is nearly unprecedented, and while Adobe reports no active attacks, exploit development against scores like that tends to start immediately. ColdFusion follows at Priority 1 with a CVSS 9.6, consistent with its long history as an actively targeted platform. Acrobat Reader received 20 fixes, relevant given malicious PDFs remain a standard ransomware delivery mechanism. The Experience Manager bulletin is the largest at 57 CVEs but consists mostly of XSS, so it carries a high count with lower urgency. That distinction matters every month: deployment priority should follow exploitability and exposure rather than CVE count or raw CVSS.

The Instinct to Add More Scanners Is Still Wrong, Especially This Month

Your scanners answer one question: what vulnerabilities exist in my environment? In a 571-CVE month, that question produces a mountain. The question your team actually needs answered is unchanged. Which of these represent real, exploitable risk to my business right now, with my compensating controls, against my most critical assets?

Consider what June actually demands of a remediation program. A CVSS 10.0 (Azure HorizonDB) that requires zero customer action. A CVSS 6.8 BitLocker bypass that may headline an exploit drop in five days. A 9.8 kernel flaw rated Exploitation Less Likely that every exploit broker on the planet is reversing tonight. A registry setting that neutralizes a 9.8 HTTP.sys RCE faster than any patch cycle can. Eighteen SharePoint spoofing CVEs that are routine XSS, sitting next to two Exchange flaws that constitute a real privilege escalation path. Severity scores alone get every one of those calls wrong. It takes environmental context to get them right.

Where Brinqa Fits in This Environment

Brinqa’s Cyber Risk Graph™ normalizes findings from across your scanner ecosystem, including Tenable, Qualys, Rapid7, CrowdStrike, Microsoft Defender, and 260+ other sources, and correlates them against asset context, business criticality, compensating controls, and real-world exploit intelligence. That correlation is what turns a record-setting CVE month into a prioritized, defensible work queue. It's also how a continuous threat exposure management program operates at scale: not by counting more, but by knowing what matters.

• AI-powered deduplication at ingestion. When June delivers roughly 560 Microsoft CVEs across core and browser streams and your scanners each report overlapping subsets, Brinqa’s AI Deduplication agent consolidates findings into unified exposure records with confidence scoring, so three tools flagging CVE-2026-45657 produces a single prioritized exposure instead of three tickets.
• Context-aware prioritization. The HTTP.sys RCE on an internet-facing IIS server with a non-default registry configuration is a drop-everything event. The same CVE on a host with the default MaxRequestBytes value is not. Brinqa’s AI layer weighs exploitability, reachability, and mitigating controls so your team works the first case first.
• Ownership inference. At June’s volume, findings without owners are findings without remediation. Brinqa’s inference capability analyzes patterns across exposure and asset data to identify likely owners for unassigned findings, closing the routing gap that manual triage cannot close at 571 CVEs per month.
• SmartFlow-driven remediation routing. Findings route automatically to the right teams with context, SLA enforcement, and escalation. That is the operational answer to a world where 88% of critical KEVs are remediated slower than they are exploited.
• Exploitation signal integration via BrinqaIQ. Your team works the flaws attackers are actually using, such as the Defender EoP, the OWA XSS, and the Cisco SD-WAN zero-day, rather than whichever CVE carries the most dramatic score.

Five Recommendations Before the July Window

1. Patch the wormable class as one emergency change.

The Windows Kernel TCP/IP, HTTP.sys, and DHCP Client RCEs belong in the same accelerated maintenance window. All three are unauthenticated, require no user interaction, score CVSS 9.8, and sit on near-universal Windows attack surface. Run the HTTP.sys MaxRequestBytes registry verification today as the interim control while patches move through testing.

2. Treat boot-path integrity as a campaign, not a category.

Ten Secure Boot and UEFI bypasses, a Windows Boot Manager flaw, and four BitLocker bypasses landed in one release, including the formally disclosed CVE-2026-50507 and the Nightmare Eclipse-linked CVE-2026-45585, with the researcher threatening a further drop on June 14. Physical-access vulnerabilities routinely get deprioritized in risk models built for remote exploitation. This month, group them, identify your highest-exposure device populations (laptops, field hardware, executive travel devices), and run them as a single coordinated effort.

3. Bring AI and agentic infrastructure into vulnerability management scope this quarter.

Copilot desktop clients, IDE AI extensions, AI SDKs, and now MCP servers are shipping Critical-rated and identity-takeover-class flaws. If your asset inventory cannot answer where you run MCP servers and what identities they hold, that is a discovery project to start this week, because patches for infrastructure you have not inventoried protect nothing.

4. Pressure-test your pipeline against a compound July.

The Glasswing 90-day report is due around July 6. Patch Tuesday follows on July 14, in the traditionally heavy pre-Black Hat slot. Assume those waves stack. If your intake, deduplication, triage, and routing could not absorb this June twice over in a two-week span, use the next four weeks to build the automation that closes that gap, before the wave arrives rather than after.

5. Measure exposure windows, not CVE counts.

June settles the argument. Raw counts no longer carry meaning when methodologies diverge by ten CVEs and totals swing from 248 to 560 month over month. The metric that maps to risk is your Average Window of Exposure, the time from a confirmed exploitable vulnerability entering your environment to its validated closure. If you cannot produce that number today, producing it is worth more than any individual patch in this release.

April set the record. May confirmed the floor. June broke the record outright and put exploit-grade flaws across the kernel, the boot path, the HTTP stack, and the agentic AI layer into a single release, with the Mythos disclosure window four weeks away and the next Patch Tuesday landing directly inside it. The next four weeks are the preparation window for July. The teams that use them will handle July as a heavy month. The teams that wait will handle it as an incident.

We will publish the July edition on the next Patch Tuesday.

If you’re working through what record CVE volume means for your program, speak with a Brinqa expert about where it stands today.

FAQs

References:

SOURCES AND REFERENCES (UPDATED JUNE 9, 2026)

1. Zero Day Initiative, The June 2026 Security Update Review, Dustin Childs, June 9, 2026. 208 Microsoft CVEs; 571 total including third-party; largest release since ZDI began counting in 2017. zerodayinitiative.com
2. Tenable, Microsoft’s June 2026 Patch Tuesday Addresses 198 CVEs, June 9, 2026. 32 Critical, 166 Important; CVE-2026-42985 Exploitation More Likely. tenable.com
3. BleepingComputer, Microsoft June 2026 Patch Tuesday Fixes 3 Zero-Days, 200 Flaws, June 9, 2026. 33 Critical; 360 Edge/Chromium fixes excluded from core count. bleepingcomputer.com
4. CyberScoop, Microsoft Breaks Patch Tuesday Record with 206 Vulnerabilities, Matt Kapko, June 9, 2026. Narang: “Pandora’s proverbial box has been opened.” cyberscoop.com
5. CyberSecurityNews, Microsoft Patch Tuesday June 2026, June 9, 2026. 54 RCE flaws; Remote Desktop Client and Hyper-V clusters. cybersecuritynews.com
6. Microsoft Security Response Center, June 2026 Security Update Guide Release Notes. msrc.microsoft.com
7. The Register, Microsoft 0-Day Feud Escalates as Researcher Threatens Another Windows Exploit Dump, May 28, 2026. Nightmare Eclipse June 14 disclosure threat. theregister.com
8. CyberScoop, Nightmare Eclipse Incident Shows Researcher-Vendor Fights May Never Fully Go Away, June 2026. cyberscoop.com
9. Help Net Security / Ivanti (Todd Schell), June 2026 Patch Tuesday Forecast, June 5, 2026. May out-of-band recap; CVE-2026-45659 SharePoint RCE; Mozilla weekly cadence. helpnetsecurity.com
10. CyberScoop, Anthropic’s New Model Is Mythos on a Leash, June 2026. Claude Fable 5 release. cyberscoop.com
11. CyberScoop, Cisco Customers Encounter Another SD-WAN Zero-Day Under Attack (CVE-2026-20245), June 2026. cyberscoop.com
12. Anthropic, Claude Mythos Preview / Project Glasswing, April 7, 2026. 90-day report due early July. red.anthropic.com
13. VulnCheck (Patrick Garrity) via The Register, Project Glasswing CVE Count Is Still Guesswork, April 15, 2026. theregister.com
14. Help Net Security / Ivanti, May 2026 Patch Tuesday Forecast, May 8, 2026. Mozilla found 271 vulnerabilities in Firefox 150 via Mythos. helpnetsecurity.com
15. NIST, NIST Updates NVD Operations to Address Record CVE Growth, April 15, 2026. nist.gov
16. Qualys, The Broken Physics of Remediation, March 2026. 88% of critical KEVs remediated slower than exploitation. blog.qualys.com
17. CrowdStrike 2026 Global Threat Report. AI attacks +89% YoY; 27-second fastest breakout. crowdstrike.com
18. Google M-Trends 2026. Average time-to-exploit for most serious vulnerabilities: minus seven days. cloud.google.com
19. FIRST CVE Forecast 2026; Jerry Gamblin, 2025 CVE Data Review. jerrygamblin.com
20. Adobe Product Security Incident Response Team, June 2026 Security Bulletins APSB26-56 through APSB26-66. 123 CVEs across 11 bulletins; Campaign Classic dual CVSS 10.0. helpx.adobe.com
21. Google, Android Security Bulletin June 2026. 124 flaws, one actively exploited. source.android.com
22. Obstracts / Microsoft, CVE-2026-42897 Outlook Web Access Active Exploitation and Exchange Emergency Mitigation Service, June 2026.