Microsoft's Largest Patch Tuesday
Microsoft released fixes for more than 200 security flaws on Tuesday, marking the largest Patch Tuesday in the program's history. The release included 206 of Microsoft's own CVEs, with Trend Micro's Zero Day Initiative (ZDI) counting 208 CVEs and Tenable counting 198.
The large number of vulnerabilities is attributed to the increasing use of artificial intelligence in vulnerability discovery. Tom Gallagher, vice president of engineering at Microsoft's Security Response Center, acknowledged that AI tools are driving a surge in vulnerability discovery across the industry.
Vulnerability Discovery
Microsoft disclosed an internal system, codenamed MDASH, that has independently found 16 vulnerabilities before any human researcher flagged them. ZDI noted that one of the publicly disclosed flaws appeared to have been found the same way.
The surge in vulnerability discovery echoes a warning issued by Britain's National Cyber Security Centre, which cautioned that organizations should prepare for a wave of urgent updates driven by AI-assisted discovery. ZDI noted that the number of CVEs Microsoft has shipped so far in 2026 already exceeded the total for all of 2018.
Notable Vulnerabilities
One of the most alarming flaws is tracked as CVE-2026-45657, rated 9.8 out of 10 in terms of severity. The bug sits deep in the Windows core and would let a remote attacker take full control of a machine with no action from the user. ZDI described it as 'wormable,' meaning an attack could jump from one computer to the next across a network on its own.
Microsoft itself rated the flaw 'less likely' to be exploited, but ZDI said that offered little reassurance. Researchers and exploit developers were already pulling the patch apart to reconstruct the underlying flaw, ZDI said, urging organizations to install the fix without delay.
Actively Exploited Flaws
One flaw that has been exploited in the wild is tracked as CVE-2026-41091 and rated 7.8 out of 10. The issue affects Microsoft Defender, the antivirus built into Windows. The elevation-of-privilege bug would hand an attacker who already has a foothold on a system the keys to the entire machine.
Microsoft said an attacker could trick Defender into writing a malicious file to a protected location, granting them the highest level of control over the system. The U.S. Cybersecurity and Infrastructure Security Agency had added the bug to its catalog of actively exploited flaws on May 20.
Zero-Day Flaws
Three zero-day flaws were also disclosed, including a BitLocker bypass tracked as CVE-2026-50507. The issue means that the feature — intended to encrypt the contents of a Windows laptop so a thief who steals it can't read the drive — can be bypassed.
Both of those CVEs are tied to a researcher who goes by the name Nightmare Eclipse and has been locked in a months-long standoff with Microsoft. The pseudonymous researcher began posting working exploit code for unpatched Windows flaws to GitHub in April, citing grievances that Microsoft had deleted their bug-reporting account, withheld bounty payments, and stripped their name from at least one advisory.
Microsoft initially condemned the releases as 'never justifiable' and said its Digital Crimes Unit would keep pursuing those who enable cybercrime, before walking back the apparent threat after a backlash from the security community. Nightmare Eclipse has said more is coming, threatening a fresh release of Windows exploit code on July 14 — the date of the next Patch Tuesday.
Source: The Record