REDMOND, Wash. — For the security team that hasn’t finished digesting May’s 120-flaw update, June’s bill has arrived, and it is larger than anything Microsoft has ever sent before.
Microsoft released KB5094126 for Windows 11 and KB5094127 for Windows 10 on Tuesday, its June 2026 Patch Tuesday cycle — a cycle that patched 206 unique CVEs across Windows, Office, Exchange, Azure, Remote Desktop Client, and more than a dozen other product families. The number shatters the previous monthly record of 175, set last October, and it arrives alongside a candid warning from inside Microsoft itself: this is probably the new normal, and artificial intelligence is the reason why.
Three of the 206 flaws are publicly disclosed zero-days, none of them confirmed exploited in the wild at the time of release. The most immediately consequential are a Windows BitLocker bypass (CVE-2026-50507) that could grant physical attackers access to encrypted drives, a privilege-escalation flaw in the Windows Collaborative Translation Framework known as GreenPlasma (CVE-2026-45586) that yields SYSTEM-level shell access, and an HTTP/2 denial-of-service technique dubbed the “HTTP/2 Bomb” (CVE-2026-49160) capable of crashing servers by forcing disproportionate memory allocation from minimal inbound data. All three were publicly disclosed before Tuesday’s patch, meaning attackers had a head start.
Two vulnerabilities in the update drew particular attention from researchers independent of the zero-day list. A remote code execution flaw in Windows HTTP.sys, CVE-2026-47291, carries a CVSS score of 9.8 and, as Amol Sarwate, head of security research at Cohesity, wrote in prepared comments, “allows unauthenticated attackers to remotely achieve full compromise without any user interaction, making it potentially wormable.” A sister flaw in the Windows DHCP Client service, CVE-2026-44815, carries the same severity score and the same wormable characteristic — the DHCP Client runs on virtually every Windows endpoint, giving its attack surface almost no ceiling.
The 33 critical vulnerabilities in this month’s release include multiple Remote Desktop Client flaws, several critical Hyper-V escapes, a Windows Kerberos KDC remote code execution, and a clutch of Microsoft Office flaws where specially crafted documents can trigger code execution without the user doing more than previewing a file. Researchers at Action1 flagged two Windows Graphics Component RCE bugs — CVE-2026-44812 and CVE-2026-44803 — as capable of delivering full system compromise through a single preview action. SharePoint, meanwhile, attracted 16 separate entries in June’s bulletin, most of them spoofing vulnerabilities that could facilitate credential theft or session hijacking in enterprise collaboration environments.
Three of the zero-days are the work of a researcher who goes by Nightmare Eclipse, a figure whose relationship with Microsoft has deteriorated publicly over its bug bounty and vulnerability disclosure practices. GreenPlasma and the BitLocker bypass (YellowKey) both trace back to their disclosures. A third flaw from the same researcher, MiniPlasma, was patched by Microsoft in May, as previously reported by Eastern Herald. Nightmare Eclipse has also released BlueHammer, RedSun, and UnDefend, several of which remain without fixes.
What makes the June release structurally different from prior months is not just its size but what is being said about its causes. Tom Gallagher, Microsoft’s vice president of engineering, warned last month that releases of this scale could become routine, citing AI tools that enable vulnerability discovery at a pace previously impossible for human researchers alone. The warning appears to be coming true faster than anticipated. June’s 206 CVEs represent a 71 percent increase over May’s 120, and nearly double the 100-plus-per-month floor that Satnam Narang, senior staff research engineer at Tenable, told Dark Reading would become permanent. He noted that the same AI models accelerating discovery on the defensive side are lowering the barrier to weaponization on the offensive side.
That two-sided pressure — more bugs found, faster exploitation once they surface — is where the true operational risk lives, not in any single CVE. Tyler Reguly, associate director of security R&D at Fortra, urged organizations not to be paralyzed by the volume. Of the roughly 2,000 CVEs patched in Patch Tuesday releases since 2023, an average of 30 per year made CISA’s Known Exploited Vulnerabilities catalog. He added that the mean time to working exploit for known vulnerabilities, once published, averages 21.5 hours. The clock is now running.
Buried inside the same update — and unlikely to appear in most security bulletins — is a feature Microsoft described in its changelog only as “[General Performance] This update accelerates app launch and core shell experiences such as Start menu, Search, and Action Center.” That understated line refers to the Low Latency Profile, a CPU scheduler change that immediately spikes processor frequency to maximum when a user opens the Start menu, Search, or Action Center, completes the rendering burst in one to three seconds, then drops back to idle. The mechanism, sometimes called “race to sleep,” is standard practice on Apple devices; Microsoft is using KB5094126 to deliver it broadly to Windows 11 users on builds 26200.8655 and 26100.8655. The feature’s impact is most visible on budget and mid-range hardware. Microsoft VP Scott Hanselman defended the approach against critics who called it a brute-force fix, noting that Apple’s scheduler has operated on the same principle for years.
The Low Latency Profile is gated behind Microsoft’s Controlled Feature Rollout system, meaning it may not activate immediately after installing KB5094126. Users who want to confirm or force-enable it can use the open-source ViVeTool utility with feature ID 58989092 from an elevated command prompt. The security update itself — the 206 flaws, the three zero-days — requires no such workaround and is available through Windows Update, WSUS, and the Microsoft Update Catalog.
The broader context is one security teams cannot ignore. Google patched 124 Android flaws and one actively exploited zero-day in its own June bulletin. Cisco released fixes for a critical Unified CM vulnerability with published exploit code and an SD-WAN zero-day under active attack. Veeam addressed a critical Backup & Replication flaw enabling remote code execution on domain-joined servers. May’s Microsoft cycle had already set a then-record pace, and June exceeded it by 72 percent. Justin Fier, senior vice president at Darktrace, framed the lesson plainly: organizations need to assume some vulnerabilities will be exploited faster than they can be patched. “Patching will still be essential, but it will not be enough on its own.”
What June’s release does not contain is also worth noting. Multiple Nightmare Eclipse vulnerabilities remain unpatched, including BlueHammer and RedSun. The researchers who disclosed the HTTP/2 Bomb received credit in Microsoft’s advisory — a reminder that the supply of discovered, unpatched flaws at any given moment is always larger than what any single Patch Tuesday can close. Organizations that completed last month’s emergency Defender patching are now being asked to absorb a second major cycle within weeks, while simultaneously managing the Chrome V8 zero-day patched Tuesday, Cisco SD-WAN active exploitation, and the continued exposure from Exchange flaws that circulated in May.
Two hundred and six CVEs. Three zero-days. One wormable DHCP flaw rated 9.8. And an AI-driven pace of discovery that, by Microsoft’s own admission, shows no sign of slowing. What June’s Patch Tuesday record actually measures is the width of the gap between how fast vulnerabilities can now be found and how fast the organizations that run the world’s computers can close them.
