Microsoft’s Biggest-Ever Patch Tuesday: 200 Flaws, 6 Zero-Days, and a Fresh Exploit Dropped Hours Later

Microsoft released its June 2026 Patch Tuesday yesterday — and it broke records. 200 vulnerabilities patched. 33 rated critical. 6 zero-days fixed. It is the largest single security update Microsoft has ever shipped.

Then, hours later, a security researcher dropped a brand new exploit — affecting fully patched Windows 10 and Windows 11 machines. The update that was supposed to close the door immediately had a new one opened beside it.

Here’s what happened, why it matters, and what Windows users need to do right now.

What Yesterday’s Patch Fixed

The June update addressed vulnerabilities across Windows, Office, Azure, and Defender. Of the 33 critical flaws, 28 were remote code execution vulnerabilities — meaning an attacker could potentially run malicious code on a target machine without physical access.

Six zero-days were fixed in total. The one actively exploited in the wild was CVE-2026-49160 — an HTTP/2 denial-of-service flaw dubbed the “HTTP/2 Bomb.” The HTTP/2 Bomb attack abuses how the HTTP/2 protocol compresses and manages web traffic headers, letting attackers send tiny amounts of data that force servers to allocate disproportionately large amounts of memory — effectively crashing them. Microsoft notes the flaw was actually discovered and reported by OpenAI’s Codex, making it one of the first publicly confirmed cases of an AI model finding and reporting a real-world vulnerability in production software.

Also patched were two flaws disclosed by a researcher known as Nightmare Eclipse: GreenPlasma (CVE-2026-45586), a privilege escalation flaw in the Windows Collaborative Translation Framework, and YellowKey. Both had been publicly disclosed by the researcher in recent months as part of an escalating dispute with Microsoft over its bug bounty programme.

Then the Researcher Dropped Another One

Within hours of the Patch Tuesday release, Nightmare Eclipse published a proof-of-concept for a seventh exploit: RoguePlanet.

It targets Microsoft Defender and affects fully patched Windows 10 and Windows 11 systems — including machines that had just installed yesterday’s update. The exploit abuses a race condition in Windows Defender’s internal processing logic. An unprivileged user can redirect a file operation performed by Defender — which runs as SYSTEM — to execute attacker-controlled code at the highest privilege level.

Multiple independent security firms, including ThreatLocker, have confirmed the proof-of-concept works. Nightmare Eclipse has now publicly disclosed seven Windows zero-days: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, and RoguePlanet — and Microsoft has only patched two of them.

Why This Is Happening

The researcher says this is retaliation. Microsoft, according to Nightmare Eclipse, mishandled the vulnerability disclosure process — delaying patches, pulling the researcher’s GitHub repositories, and failing to properly credit or compensate the discoveries through its bug bounty programme.

Microsoft has cast the releases as irresponsible. Many security watchers see a vendor credibility problem wrapped around a disclosure crisis. Either way, Windows users and administrators are now stuck managing the blast radius of a dispute they did not create.

This is a broader problem than one angry researcher. Analysts partly attribute the record number of vulnerabilities this month to AI-assisted code auditing, which is finding vulnerabilities faster than ever before. AI tools are accelerating both the discovery of flaws and — in the wrong hands — their weaponisation. The gap between discovery and patch is shrinking. The gap between patch and next exploit is shrinking faster.

What You Need to Do Right Now

If you run Windows — at home or at work — there are three immediate steps to take.

• Install yesterday’s Patch Tuesday update immediately. It fixes 33 critical vulnerabilities, including the actively exploited HTTP/2 Bomb. Go to Settings → Windows Update and check for updates now.
• Be aware that RoguePlanet is currently unpatched. It requires local access — an attacker needs to already be on your machine to exploit it. It is not a remote attack. Limiting who has physical or remote access to your devices reduces your exposure significantly.
• Watch for a follow-up patch. Microsoft is aware of RoguePlanet. An out-of-band patch — a fix released outside the regular Patch Tuesday cycle — is likely within days.

For businesses running enterprise fleets, patch management tools like WSUS and Microsoft Intune can prioritise and deploy the critical fixes automatically. For a broader look at how to protect yourself against evolving cyber threats, see our guide on how to protect yourself from AI-powered cyber threats.

The Bottom Line

Yesterday’s Patch Tuesday was the largest in Microsoft’s history — and it was followed within hours by a new unpatched exploit. That’s not a coincidence. It’s a symptom of a vulnerability disclosure system under real strain, accelerated by AI-powered security research on both sides.

Patch what you can. Stay informed. And watch for RoguePlanet’s fix — it’s coming.

Read more tech related articles here.