Unprecedented Patch Tuesday Update from Microsoft: A Record-Breaking 208 CVEs and a Wormable Flaw
Microsoft has released an update that cybersecurity experts are dubbing as the most comprehensive Patch Tuesday update in the program’s 23-year history. This update, released on June 9, 2026, provides fixes for a record-breaking 208 vulnerabilities across a wide range of platforms including Windows, Office, Azure, Exchange Server, Hyper-V, Secure Boot, BitLocker, Defender, and GitHub Copilot. When you include Chromium and third-party components, the total CVE count for the month skyrockets to an astonishing 571.
The most alarming flaw in this cycle is CVE-2026-45657, a CVSS 9.8 use-after-free vulnerability deep within the Windows Kernel TCP/IP stack. Security researchers at Trend Micro’s Zero Day Initiative (ZDI) have described this flaw as “wormable,” indicating that it has the potential to self-propagate across unpatched networks without any user interaction. This echoes the destructive spread of the 2017 WannaCry attack. An unauthenticated remote attacker could achieve full SYSTEM-level code execution simply by sending crafted network packets.
Furthermore, one vulnerability has been confirmed to be under active exploitation: CVE-2026-41091, a Microsoft Defender Elevation of Privilege flaw (CVSS 7.8) that has been linked to phishing campaigns by the Lazarus Group. Three other zero-days were publicly disclosed before patches were released, including a BitLocker bypass (CVE-2026-50507) that has been linked to the controversial researcher known as “Nightmare Eclipse,” who has threatened to release a new exploit on June 14.
Security experts are now questioning whether AI-assisted vulnerability discovery is driving this unprecedented surge in CVE volume. They warn that AI tools may also be accelerating the time it takes for attackers to develop working exploits from freshly published patches. Immediate patching is strongly urged.
Source: The Record – Microsoft ships largest Patch Tuesday on record