Microsoft's June Patch Tuesday: 206 CVEs +3 public zero-day exploits

Microsoft’s June 2026 Patch Tuesday is the largest on record — 206 CVEs, 38 of them rated critical, according to The Register. Zero Day Initiative’s Dustin Childs calls it the biggest monthly release since he started tracking in 2017.

Three of the bugs were publicly disclosed before the fix landed, and Krebs reports exploit code is already circulating for at least three weaknesses. The headliners:

• YellowKey (CVE-2026-50507) — a BitLocker bypass via the Windows Recovery Environment. It needs physical access, but it defeats full-disk encryption on Windows 11 and Server 2022/2025.
• GreenPlasma (CVE-2026-45586) — a local privilege-escalation in the Collaborative Translation Framework (CTFMON) that hands an attacker a SYSTEM shell on a fully-patched box.
• CVE-2026-49160 — a denial-of-service in HTTP.sys/IIS that Microsoft credits to OpenAI’s Codex agent (the “HTTP/2 Bomb” that did the rounds earlier this month).

The AI-finds-bugs theme keeps growing. Microsoft says its own agentic bug-hunter found 16 of May’s 137 CVEs, and MSRC’s Tom Gallagher warns “we expect releases to continue trending larger for some time.” Krebs adds that a researcher going by “Nightmare Eclipse” claimed the GreenPlasma and YellowKey exploits and has promised more on July 14.

Make sure your systems are patched.

Sources

• A Record-Breaking Patch Tuesday for June 2026 — Krebs on Security
• Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days — BleepingComputer
• AI is making Patch Tuesday (kinda) fun again — The Register