AI is making Patch Tuesday (kinda) fun again

Patch Tuesday is suddenly interesting again. That's both exhilarating and terrifying for the people who actually have to deal with it. Microsoft shattered its own record in June, shipping fixes for 206 Common Vulnerabilities and Exposures across its product line, and thirty-eight of those bugs are rated critical, with the rest marked important. But three vulnerabilities were publicly known before the patch drop. None have been exploited in the wild as of this writing.

It's unprecedented. Tom Gallagher, VP of engineering at the Microsoft Security Response Center, warned after May's event that "we expect releases to continue trending larger for some time." June proved him right, surpassing May in both total volume and critical bug count. But Dustin Childs, bug hunter in chief at Zero Day Initiative, put it bluntly: "I've been counting CVEs on Patch Tuesday since 2017, and this is by far the largest monthly release in that time.

The AI Question Nobody Is Answering

The contrast is stark. Last month, Microsoft revealed its agentic bug hunting system found 16 of 137 vulnerabilities, but June's release offers no word on AI assistance at all. So the assumption is hard to ignore. Childs posed the questions every admin is thinking: "How many patches were generated using AI to assist in coding or testing, what quality issues may exist in these patches, and likely most importantly, is this the new normal?

May and April saw mega releases too. That suggests a pattern. But Childs posed a critical question: "Should sysadmins adjust their processes for prioritization and patch deployment based on this new volume of updates?" He added that unfortunately, Microsoft isn't providing those answers right now. So he noted a staggering comparison: the number of CVEs Microsoft has shipped this year already exceeds the total number it shipped in all of 2018.

While it's fun to speculate whether Redmond will top 300 next month, the reality is grim for vulnerability management teams drowning in drowning in what might be called the AI-induced vulnpocalypse.

Three Bugs Already Public

Three of June's vulnerabilities were already known before Patch Tuesday. CVE-2026-49160 is an HTTP.sys denial of service vulnerability discovered by California researcher Quang Luong, who used OpenAI's Codex agent to find it. But it's a nasty one. He named it "HTTP/2 Bomb" and described how it exploits the HTTP/2 header compression algorithm by sending thousands of tiny messages to the server, forcing rapid memory allocation and eventually a crash. So Microsoft fixed it. They introduced a new MaxHeadersCount registry setting that limits headers in HTTP/2 and HTTP/3 requests.

CVE-2026-50507 is a security feature bypass bug in Windows BitLocker. It's listed as "exploitation more likely." An attacker with physical access can bypass BitLocker Device Encryption and access encrypted data, so this appears to patch one of the zero days dropped in the ongoing conflict between Microsoft and a disgruntled bug hunter known as Nightmare Eclipse. That bug is likely the YellowKey vulnerability disclosed in May. Nightmare has published details and proof of concept exploit code for six zero days. But they've also promised a "bone shattering" release on June 14.

CVE-2026-45586 is a Windows Collaborative Translation Framework elevation of privilege vulnerability. An authorized attacker can abuse it to gain SYSTEM access locally, from which they could deploy malware, steal data, and move laterally. Patch this one sooner rather than later. But it's critical. An authorized attacker can abuse this vulnerability to gain SYSTEM access locally, from which they could deploy malware, steal data, and move laterally across your network without any warning signs. So patch it soon.

Two Critical 9.8 Bugs Worth Your Attention

Among the 38 critical flaws, two stand out with a CVSS score of 9.8. CVE-2026-45657 is a Windows kernel remote code execution bug that allows unauthenticated attackers to run code with system level privileges without any user interaction. It stems from an error in how the kernel processes TCP/IP data, exploitable by sending malicious network packets to a vulnerable Windows system. Microsoft lists it as "exploitation less likely," but Childs offered a reality check: "Rest assured that every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit. Test and deploy this patch quickly."

HTTP.sys RCE Poses Severe Business Risk

CVE-2026-47291 scores a critical 9.8. It's another HTTP.sys RCE vulnerability that can be triggered with zero user interaction, and Microsoft says it's "more likely" to be exploited. Alex Vovk, CEO and co founder of patch management vendor Action1, described the risk: "This vulnerability creates severe business risk because HTTP.sys is used by Windows services that process HTTP traffic. A successful attack could lead to server takeover, malware deployment, data theft, service disruption, and lateral movement across the environment. Internet facing systems are especially exposed." So don't ignore this one.

Here's some good news. Systems using the Windows HTTP stack's default MaxRequestBytes registry value aren't affected, and Microsoft provides detailed registry editing instructions that can buy admins time while deploying the patch.

• June Patch Tuesday set a record with 206 CVEs addressed
• 38 critical vulnerabilities included in the release
• Three bugs were publicly known before the patch
• Two critical RCE flaws scored 9.8 on the CVSS scale
• No word from Microsoft on how many were found via AI tools

So there's no going back to that simpler time. The new normal is bigger, faster, and more relentless, and it's clear the days of quiet monthly updates are over for anyone managing vulnerabilities or system patches. Admins and vulnerability managers should prepare for this volume to continue. They can only hope the quality of AI-generated patches holds up under pressure.