Microsoft Closes June with 200 Fixes and Three Zero-Days, Including BitLocker Bypass and RCE in Windows Kernel

Microsoft published its largest security fix batch of the year so far on Tuesday (June 9), closing 200 vulnerabilities in a single Patch Tuesday, three of which were zero-days publicly disclosed before the official disclosure. This number breaks Redmond's moving average and puts immediate pressure on corporate patching teams already operating at their limits after the May cycle (120 CVEs) and April (134 CVEs).

The most severe flaw in the batch is CVE-2026-45657, a use-after-free vulnerability in the Windows kernel with a CVSS of 9.8, classified as Critical and remotely exploitable without authentication and user interaction. The condition is triggered by malicious network packets that cause failures in TCP/IP data processing, allowing code execution at the system level. Microsoft rates the likelihood of exploitation as "less likely," but the profile of the bug, which operates over an unauthenticated network for SYSTEM, is exactly what ruins a blue team's weekend. The patches are released in KB5094126 (Windows 11 24H2 and 25H2), KB5093998 (Windows 11 23H2), KB5094125 (Windows Server 2025), and KB5094128 (Windows Server 2022).

The Three Zero-Days

CVE-2026-50507 is a security bypass in BitLocker that allows an attacker with physical access to the device to access encrypted data. The vector requires physical possession of the hardware, limiting the risk landscape to lost corporate laptops, devices confiscated at borders, and decommissioned machines without proper wipes. For global fleets of consultancies and banks with employees traveling internationally, this is precisely the type of risk that enters travel compliance considerations for sensitive territories.

CVE-2026-45586 affects the Windows Collaborative Translation Framework and opens a privilege escalation to SYSTEM. Meanwhile, CVE-2026-41091, in Microsoft Defender, has been confirmed to be under active exploitation prior to the official disclosure. The vulnerability, dubbed RedSun by researchers, is a link-following flaw in the Microsoft Malware Protection Engine 1.1.26030.3008 and earlier versions, with a CVSS of 7.8. Microsoft had already rolled out engine version 1.1.26040.8 to address the issue in the Defender’s continuous update channel, and CISA had mandated patching by June 3 for the FCEB. The consolidated patch in this Tuesday's batch closes the formal window for customers who maintain manual control of the engine.

The Count of 33 Criticals

Out of the 200 fixes, 33 are classified as Critical by Microsoft. Within this subgroup, 28 are remote code executions, four are privilege escalations, and one is information disclosure. The concentration on RCEs renders a more concerning reading for CISOs: Microsoft is closing a high number of doors that, if exploited, would dispense with phishing or lateral movement.

The reading by region varies. In the United States, CISA's Binding Operational Directive 22-01 requires federal agencies to remediate everything that enters the KEV list within fixed deadlines, and CVE-2026-41091 in Defender was already on that list. Federal teams apply the consolidated batch alongside the regular schedule. In Europe, under the NIS2, which has been in effect since the second half of 2024, operators of essential services must respond within 24 hours to incidents related to unpatched vulnerabilities within a reasonable timeframe, a metric that German and French courts are still calibrating on a case-by-case basis. In Japan, METI updated its cybersecurity guidelines for listed companies in February, explicitly citing Windows kernel CVEs as a test scenario for incident response.

The change in practice now is not the application of the patch itself. What changes is the window of time between disclosure and mass exploitation. For CVE-2026-45657, with its network vector and potential wormable profile, the historical window for analogous vulnerabilities (PrintNightmare in 2021, SMBGhost in 2020) has ranged from 48 hours to two weeks before the first functional public PoC. Patching teams still operating on a 30-day cycle for Windows servers are writing the check for the next incident without knowing it. What Microsoft delivered this Tuesday is not just a package: it is a thermometer of how far behind vulnerability management maturity remains compared to the speed of exploitation.