Microsoft's Patch Tuesday Sets Record, Fixing 200 CVEs and Exposing Defender Zero-Day in Use

On June 10, Microsoft released the largest Patch Tuesday since the program's inception in 2003. A total of 200 vulnerabilities were addressed in a single batch, including 33 classified as critical, 28 of which are remote code execution (RCE) vulnerabilities. The release also included six publicly disclosed zero-days, one of which has confirmed active exploitation.

The exploited vulnerability is CVE-2026-41091, a privilege escalation flaw in Microsoft Defender with a CVSS score of 7.8. The bug allows an attacker with local access to execute code at the SYSTEM level via a file link manipulation within the Malware Protection Engine, according to Microsoft's bulletin. The company automatically updates the component, but CISA has added this CVE to the Known Exploited Vulnerabilities catalog and required U.S. federal agencies to implement version 1.1.26040.8 of the engine by June 3, a deadline that has already passed.

The Critical RCE Stack

Two vulnerabilities dominated the risk assessment outside of Defender. CVE-2026-45657, in the kernel of Windows 11 and Windows Server, is a remote code execution vulnerability with a CVSS of 9.8 that can be exploited without authentication through a TCP/IP handling flaw, according to Microsoft's notice. There is no user interaction involved. CVE-2026-44815, in the DHCP Client service, has the same CVSS of 9.8 and affects Windows clients on the network. SOC operators are likely to prioritize these two: both have the bug profile that quickly facilitates lateral movement in corporate environments.

The Zero Day Initiative from Trend Micro described the release as the new normal. "More than 200 CVEs patched in a single Tuesday is the type of event that drains capacity from response teams," wrote Dustin Childs in the ZDI blog published on June 9. Childs also noted that 32 of the critical vulnerabilities are focused on RCE, which alters the risk matrix in Active Directory and VPN environments still reliant on Windows Server.

Public Zero-Days and RoguePlanet Alongside the Patch

In addition to CVE-2026-41091, Microsoft flagged five publicly disclosed zero-days without any observed exploitation so far. The list includes CVE-2026-45586, a privilege escalation in the Windows Collaborative Translation Framework that grants SYSTEM access to the attacker, and CVE-2026-49160, referred to by researchers as HTTP/2 Bomb, a denial-of-service vector in the HTTP/2 stack of Windows and IIS. CVE-2026-50507, in BitLocker, requires physical access to the device, a relevant mitigator for corporate fleets but critical concerning losses and thefts.

On the same day, June 10, that the patch package was released, a researcher known as Nightmare Eclipse published a proof-of-concept called RoguePlanet for a race condition in Windows Defender that opens a shell running as SYSTEM. This PoC is not covered by the June fixes, according to a notice from Help Net Security. Detection teams need to treat this announcement as an immediate expansion of the exploitation surface, especially in environments with unpatched endpoints.

Where the Cost Falls

The size of the release weighs more than any individual CVE. In January, Microsoft had patched 112 CVEs in the first Patch Tuesday of the year, according to Computer Weekly. June nearly doubled that volume and broke the previous program record that had been in place since 2003. For SOC teams in regulated environments, especially banks and European insurers with aggressive critical patch SLAs, the out-of-calendar maintenance window has become inevitable.

In the United States, the Binding Operational Directive 22-01 requires federal agencies to implement CVE patches from the KEV catalog within short timeframes. In the UK, the NCSC advises critical infrastructure operators to treat Windows zero-days as a top priority when active use is confirmed. In intensive offshoring markets like India and Poland, the Acceleration Centers and shared services hubs of the Big 4 and tier-1 banks tend to extend the maintenance window to Latin America, including Brazil, within 72 hours, which tightens timelines for local banks and BPO contractors.

The peculiarity of this round is the simultaneous announcement of RoguePlanet. A fixed CVE and a public PoC on the same day transform the patch cycle into a binary calculation: install before the next round of ransomware integrates the exploit. For European teams still managing the aftermath of the Qilin incident against Check Point’s VPN, disclosed on June 8 and linked to CVE-2026-50751, tranquility in the next 48 hours appears unlikely.